On 14-03-06 11:25 AM, Wietse Venema wrote:
Nathan Coulson:
In testing, we were seeing the following results:
smtpd_tls_security_level=may
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011resp=
smtpd_tls_security_level=encrypt
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011secured#011resp=
The secured flag is only set when the level is set to encrypt. I would
expect it to be set for any client that connects via TLS.
No, the secured flag is set when the client requests STARTTLS.
Wietse
/*
* Set up a new server context for this connection.
*/
#ifdef USE_TLS
tls_flag = state->tls_context != 0;
#else
tls_flag = 0;
#endif
...
if ((state->sasl_server =
XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
stream = state->client,
server_addr = (state->dest_addr ?
state->dest_addr : ""),
client_addr = ADDR_OR_EMPTY(state->addr,
CLIENT_ADDR_UNKNOWN),
service = var_smtpd_sasl_service,
user_realm = REALM_OR_NULL(var_smtpd_sasl_realm),
security_options = sasl_opts_val,
tls_flag = tls_flag)) == 0)
msg_fatal("SASL per-connection initialization failed");
The client (Using Thunderbird) is configured to use port 587, with
STARTTLS. I did some more digging to confirm this, and from the logs it
looks like it is requesting and using starttls.
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_connect: auth reply: VERSION?1?1
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_connect: auth reply: MECH?PLAIN?plaintext
Mar 6 11:58:52 postfix postfix/smtpd[20189]: name_mask: plaintext
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_connect: auth reply: MECH?LOGIN?plaintext
Mar 6 11:58:52 postfix postfix/smtpd[20189]: name_mask: plaintext
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_connect: auth reply: SPID?20191
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_connect: auth reply: CUID?1
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_connect: auth reply:
COOKIE?c3217471bba339e1ac8623fa290932fc
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_connect: auth reply: DONE
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_mech_filter: keep mechanism: PLAIN
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_mech_filter: keep mechanism: LOGIN
Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
Mar 6 11:58:52 postfix dovecot: auth: Debug: auth client connected (pid=0)
Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: EHLO [IP2]
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-[HOSTNAME HERE]
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-PIPELINING
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-SIZE 204800000
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-VRFY
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-ETRN
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-STARTTLS
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH PLAIN LOGIN
Mar 6 11:58:52 postfix postfix/smtpd[20189]: match_list_match: IP1: no
match
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH=PLAIN LOGIN
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]:
250-ENHANCEDSTATUSCODES
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-8BITMIME
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250 DSN
Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: STARTTLS
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 220 2.0.0 Ready
to start TLS
Mar 6 11:58:52 postfix postfix/smtpd[20189]: send attr request = seed
Mar 6 11:58:52 postfix postfix/smtpd[20189]: send attr size = 32
Mar 6 11:58:52 postfix postfix/smtpd[20189]: private/tlsmgr: wanted
attribute: status
Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute name: status
Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute value: 0
Mar 6 11:58:52 postfix postfix/smtpd[20189]: private/tlsmgr: wanted
attribute: seed
Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute name: seed
Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute value:
QsmI4b31iwCHbOZQ+JsrBXMJRqFizERI0hWa6lZP5wo=
Mar 6 11:58:52 postfix postfix/smtpd[20189]: private/tlsmgr: wanted
attribute: (list terminator)
Mar 6 11:58:52 postfix postfix/smtpd[20189]: input attribute name: (end)
Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: EHLO [IP2]
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-[HOSTNAME HERE]
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-PIPELINING
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-SIZE 204800000
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-VRFY
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-ETRN
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH PLAIN LOGIN
Mar 6 11:58:52 postfix postfix/smtpd[20189]: match_list_match: IP1: no
match
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-AUTH=PLAIN LOGIN
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]:
250-ENHANCEDSTATUSCODES
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250-8BITMIME
Mar 6 11:58:52 postfix postfix/smtpd[20189]: > [IP1]: 250 DSN
Mar 6 11:58:52 postfix postfix/smtpd[20189]: watchdog_pat: 0x7f6dce013730
Mar 6 11:58:52 postfix postfix/smtpd[20189]: < [IP1]: AUTH PLAIN
AHRlc3QxQG5jb3Vsc29uLmNvbQB0ZXN0
Mar 6 11:58:52 postfix postfix/smtpd[20189]:
xsasl_dovecot_server_first: sasl_method PLAIN, init_response
AHRlc3QxQG5jb3Vsc29uLmNvbQB0ZXN0
Mar 6 11:58:52 postfix dovecot: auth: Debug: client in:
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=IP3#011rip=IP1#011resp=<hidden>
