Re: SMTP authentication

Tue, 19 Mar 2013 10:48:11 -0700 

Il 19/03/2013 17:41, Viktor Dukhovni wrote:

On Tue, Mar 19, 2013 at 02:18:51PM +0000, Matteo Marescotti wrote:


submission inet n       -       -       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING
...

With "smtpd_tls_security_level=encrypt" only EHLO, NOOP and QUIT
are allowed before STARTTLS.  The other commands will be rejected,
but of course we can't prevent the client from sending them.
I said Postfix accepts the MAIL FROM command before user authentication, not before STARTTLS. 
With this configuration, messages can only be submitted through port
587 after an encrypted connection has been established and user
authentication has succeded. So users need to authenticate
themselves in order to send emails. Nevertheless, Postfix accepts
the MAIL FROM command before authentication.

Show real evidence of this, after making sure your master.cf file
reflects run-time reality (postfix stop/start or at least reload).
Of course master.cf reflects run-time reality. Follows the real evidence which you can reproduce by yourself. If you remove all client restrictions ( -o smtpd_client_restrictions=) from my configuration and issue 

openssl s_client -connect host:587 -starttls smtp

you get

250 DSN
mail from:<mares...@sdf.org>
250 2.1.0 Ok
rcpt to:<mares...@sdf.org>
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Hi, this is a test.
.
250 2.0.0 Ok: queued as ...

and the message is sent.
If you keep client restrictions ( -o smtpd_client_restrictions=permit_sasl_authenticated,reject ) and issue the same command as above, you get instead 

250 DSN
mail from:<mares...@sdf.org>
250 2.1.0 Ok
rcpt to:<mares...@sdf.org>
554 5.7.1 <host[xxx.xxx.xxx.xxx]>: Client host rejected: Access denied
because user authentication is now required. I simply wondered why the client is rejected after "rcpt to" and not just after "mail from". Maybe there is no configuration which allows for rejecting an unauthenticated client after the first command. I asked because you are certainly more familiar than me with Postfix configuration options. Thank you anyway. 

Matteo

Reply via email to