On 14-03-06 12:15 PM, Nathan Coulson wrote:
On 14-03-06 11:25 AM, Wietse Venema wrote:
Nathan Coulson:
In testing, we were seeing the following results:
smtpd_tls_security_level=may
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011resp=
smtpd_tls_security_level=encrypt
AUTH#0111#011PLAIN#011service=smtp#011nologin#011lip=1.6.0.5#011rip=1.6.41.1#011secured#011resp=
The secured flag is only set when the level is set to encrypt. I would
expect it to be set for any client that connects via TLS.
No, the secured flag is set when the client requests STARTTLS.
Wietse
/*
* Set up a new server context for this connection.
*/
#ifdef USE_TLS
tls_flag = state->tls_context != 0;
#else
tls_flag = 0;
#endif
...
if ((state->sasl_server =
XSASL_SERVER_CREATE(smtpd_sasl_impl, &create_args,
stream = state->client,
server_addr = (state->dest_addr ?
state->dest_addr : ""),
client_addr = ADDR_OR_EMPTY(state->addr,
CLIENT_ADDR_UNKNOWN),
service = var_smtpd_sasl_service,
user_realm =
REALM_OR_NULL(var_smtpd_sasl_realm),
security_options = sasl_opts_val,
tls_flag = tls_flag)) == 0)
msg_fatal("SASL per-connection initialization failed");
The client (Using Thunderbird) is configured to use port 587, with
STARTTLS. I did some more digging to confirm this, and from the logs
it looks like it is requesting and using starttls.
(Trimmed the log I posted on the last email)
I tested postfix from RHEL 7 beta (2.10.1), and it passes on the secured
flag when using STARTTLS.
