Re: Require TLS and authentication with Postfix + Dovecot

Mon, 22 Nov 2010 09:01:00 -0800 

On Sun, Nov 21, 2010 at 09:41:09PM -0500, chris guirl wrote:

> I've setup a Postfix server to handle SMTP for a few domains on my
> local network. I don't want to rely on clients to "do the right thing"
> and trust them to enable encryption and authentication on their own.
> So, I'd like to disable all plain text logins that are not encrypted,

    http://www.postfix.org/TLS_README.html#server_tls_auth
    http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options

> and disable anonymous SMTP for obvious security reasons.

It is not obvious to me which reasons you have in mind, you should be
explicit about your security goals. What threats do you want to mitigate?

You also don't specify whether your server is an MSA only, or also an
MX host.

> Dovecot is handling IMAP. I've successfully configured Dovecot to
> require encryption for all requests. I've also setup Postfix as best I
> can tell to do what I want. However, it still allows me to send email
> without authentication,

As should any MX host when the recipient domain is final or a relay domain.

> as well as with authentication but using a plaintext login.

See the document links above.

> I have fully read the SASL README file, as well as
> the relevant parts of the postconf man page.

It's all there...

> It is noteworthy that I am using Dovecot to perform the authentication
> ("smtpd_sasl_type = dovecot"). Dovecot is looking up credentials from
> a database. I am unable to find documentation on how much
> configuration Postfix inherits from Dovecot when used in this manner.

Postfix can't offer SASL mechanisms that Dovecot is not configured to
use. Other than that, you configure Postfix policy in Postfix.

> smtpd_tls_auth_only = yes

With this SASL AUTH will NOT be available without TLS.

> # SASL
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous, noplaintext
> smtpd_sasl_tls_security_options = noanonymous

This looks correct.

> # Restrictions
> smtpd_recipient_restrictions = permit_mynetworks,
> permit_sasl_authenticated, reject_unauth_destination
> smtpd_delay_reject = yes
> smtpd_client_restricitons = permit_sasl_authenticated, reject

If you are able to submit email without TLS or SASL auth, you are
reporting configuration settings from the wrong main.cf file, or have
substantial overrides of these parameters in master.cf.

-- 
        Viktor.

Reply via email to