On 22 Aug 2014, at 14:16, Christian Rößner wrote:
Aug 22 19:14:10 mx0 postfix-submission/smtpd[29528]: Anonymous TLS
connection established from
static-201-106.deltasurf.de[193.239.106.201]:47064: TLSv1 with
cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Your server SASL layer did not offer a SASL "EXTERNAL" mechanism,
and probably should not. I don't think Postfix supports this
anyway. IIRC you mentioned configuring Apple Mail for "EXTERNAL"
auth. That won't work.
I guess it is not SASL/EXTERNAL. The dialog says: Extern (TLS
Clientzertifikat)
I don’t know, why they call it „extern“
As you see, Apple Mail does have a different behavior.
Yep, it does not employ client certificates, at least not as
configured. Since the Postfix server requests a client certificate,
the issue is entirely on the client side.
Yes, I agree. I have done several certificates now and none work. And
as I have no idea where to find further information, how the
certificate must have been created to work with Apple Mail, I give up
right now.
I hope you have not entirely given up, because I believe there is a fix,
although I'm only able to describe how to find it in the US English
version of Mail. I hope this provides adequate clues.
Apple Mail hides the right place to set a certificate that it should use
for *connection* to a server (TLS over TCP) and prominently offers a
place to set a certificate that is used for *authentication* inside
application-layer protocols (SMTP, IMAP, POP3) which would use the SASL
EXTERNAL mechanism. Postfix seems to offer no support for SASL EXTERNAL,
but the Postfix TLS_README does explain what seems to be a way to permit
submission and relay based on TLS use of a set trusted certificates,
WITHOUT using SASL authentication at all. I've not done that myself so I
can only point you to that doc and hope you can work it out.
The log line cited above shows that Apple Mail is using no client
certificate to set up TLS. To make it do so, you need to use the
Preferences->Accounts screen inside Mail (NOT the global "Internet
Accounts" panel in System Preferences) There you have an "Account
Information" tab, with a pull-down menu for the "Outgoing Mail
Server(SMTP)". The last entry in that menu is "Edit SMTP Server List",
which is where SMTP connection and authentication details are hidden.
That will open a panel with a list of your configured SMTP servers in
the top section. Selecting the one you're trying to fix will show you
tabs for "Account Information" and "Advanced" in the bottom section. In
"Account Information" you can use the "TLS Certificate" pull-down to
select your personal certificate. You also will need to switch to the
"Advanced" tab to switch "Authentication" from "External (TLS Client
Certificate)" to "None" (if you have Postfix configured to permit use
based on the TLS certificate) or "Password" (if you want to ALSO use the
SASL authentication that you appear to have working with TBird). One
good feature of Mail is that you can use "Window->Connection Doctor" to
perform a test of all connection settings and log the details for
analysis if need be.
