On Sat, Apr 26, 2014 at 07:23:38AM -0700, vicafk wrote:
> I have a small problem with my postfix configuration.
> I'm trying to enable both SSL and TLS support and disable plain auth,
> however i can only make one of them work at the same time.
You're using dumbed-down MUA terminology. In mail client configuration
dialogues when a user is asked to choose between SSL and TLS for
their SMTP connection, they are actually being asked to choose between:
* Standard STARTTLS over SMTP, typically on port 587, which may
negotiate any of SSLv3, TLSv1, TLSv1.1, TLSv1.2, ...
C: TCP SYN
S: TCP SYN-ACK
C: ACK
S: 220 example.net ESMTP
C: EHLO example.org
S: 250-example.net
250 STARTTLS
C: STARTTLS
S: 220 Ready to start TLS
C: SSL/TLS CLIENT HELLO
S: SSL/TLS SERVER HELLO
... complete SSL/TLS handshake ...
C: EHLO example.org
S: 250 example.net
C: AUTH PLAIN ...
S: 250 Authentication successful
C: MAIL FROM:<j...@example.org>
S: 250 OK
... complete mail transaction...
C: QUIT
S: 221 Goodbye
* Deprecated SMTPS inside SSL/TLS, typically on port 465, which may
negotiate any of SSLv3, TLSv1, TLSv1.1, TLSv1.2, ...
C: TCP SYN
S: TCP SYN-ACK
C: ACK
C: SSL/TLS CLIENT HELLO
S: SSL/TLS SERVER HELLO
... complete SSL/TLS handshake ...
C: EHLO example.org
S: 250 example.net
C: AUTH PLAIN ...
S: 250 Authentication successful
C: MAIL FROM:<j...@example.org>
S: 250 OK
... complete mail transaction...
C: QUIT
S: 221 Goodbye
On any given submission TCP port (587 or 465) you can either enable
SMTP + STARTTLS, or the deprecated SMTPS, but not both.
With Postfix, the "smtpd_tls_wrappermode" parameter selects between
STARTTLS and SMTPS operation. You'd set it to "yes" in master.cf
for the optional port 465 service. And optionally configure your
mail client to use "SSL" on port 465 rather "TLS" on port 587.
> If I enable SSL than TLS stops working, if i enable TLS, SSL stops working.
The smtpd_tls_wrappermode setting needs to be made in master.cf for the
appropriate instance of the smtpd(8) service. The default master.cf
file from postfix.org contains commented out services for you to enable:
#submission inet n - n - - smtpd
# -o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_reject_unlisted_recipient=no
# -o smtpd_client_restrictions=$mua_client_restrictions
# -o smtpd_helo_restrictions=$mua_helo_restrictions
# -o smtpd_sender_restrictions=$mua_sender_restrictions
# -o smtpd_recipient_restrictions=
# -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
The "smtps" and "submission" entries are typically already present in
/etc/services on most machines. You can add these if missing, or use
port numbers instead of names.
> Also i'm a bit plagued by a startup error which keeps popping up every few
> hours.
>
> Apr 25 07:09:08 mail postfix/smtpd[75486]: fatal: unexpected command-line
> argument: permit_sasl_authenticated,
No spaces are allowed in master.cf parameter settings, use:
master.cf:
submission inet ... smtpd
-o parameter_name=$submission_parameter_name
smtps inet ... smtpd
-o parameter_name=$smtps_parameter_name
main.cf:
submission_parameter_name = ...
# Same as for submission, except when not
smtps_parameter_name = $submission_parameter_name
> Apr 25 07:09:09 mail postfix/master[58712]: warning: process
> /usr/lib/postfix/smtpd pid 75486 exit status 1
> Apr 25 07:09:09 mail postfix/master[58712]: warning: /usr/lib/postfix/smtpd:
> bad command startup -- throttling
That's a severe error which must be fixed.
> no matter how i change the smtpd_client_restrictions , with quotes, without
> quotes, all in one line, separate lines the error still pops up.
http://www.postfix.org/master.5.html
--
Viktor.
