Hi,
Following previous conversations here I have user/pass
authentication working on 587. I am hoping to take this one stage
further by using certificate authentication, perhaps without
user/pass authentication, but I am failing. The client I am using is
K-9 mail and to an extant I have been using the following two
guides:
http://www.sandelman.ca/SSW/tutorial/authenticated-relaying/
http://www.tnrglobal.com/blog/2010/01/postfix-smtp-auth-wtls/
In order to keep the port 587 set up separate from the port 25 set
up I have been trying to achieve the set up in master.cf. I am using
postfix 2.6.6.
The line I am currently trying in master.cf is:
submission inet n - n - -
smtpd -o smtpd_sasl_auth_enable=yes -o
smtpd_client_restrictions=permit_sasl_authenticated,permit_tls_clientcerts,permit_tls_all_clientcerts,reject
-o smtpd_tls_ask_ccert=yes -o
smtpd_recipient_restrictions=permit_tls_all_clientcerts,reject_unauth_destination,reject
-o smtpd_tls_CAfile=/etc/pki/CA/ca-cert.pem -o
smtp_tls_note_starttls_offer=yes -o broken_sasl_auth_clients=yes
I did start with something much simpler but it failed with the same
message in K-9. The message I am getting is
: Cannot connect to server.(Unable to authenticate. The server does
not advertise the SASL EXTERNAL capability. This could be a problem
with the client certificate (expired, unknown certificate authority)
or some other configuration problem.)
Telnetting to the server I get :
[root@server ~]# telnet 127.0.0.1 587
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 mailserver.howitts.co.uk ESMTP Postfix
EHLO server.howitts.co.uk
250-mailserver.howitts.co.uk
250-PIPELINING
250-SIZE 51200000
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
I am sure I am missing something obvious. My postconf -n is:
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
bounce_queue_lifetime = 6h
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = mailprefilter
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
disable_vrfy_command = yes
header_checks = regexp:/etc/postfix/header_checks
html_directory = no
inet_interfaces = all
inet_protocols = all
local_recipient_maps = $alias_maps $virtual_alias_maps
luser_relay =
mail_owner = postfix
mailbox_size_limit = 102400000
mailbox_transport = mailpostfilter
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 51200000
message_strip_characters = \0
mydestination = $myhostname, localhost.$mydomain, localhost,
$mydomain
mydomain = howitts.co.uk
myhostname = mailserver.howitts.co.uk
mynetworks = 127.0.0.0/8, 192.168.10.0/24, 172.17.2.0/23
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.6.6/README_FILES
recipient_delimiter = +
relayhost = [127.0.0.1]:10465
sample_directory = /usr/share/doc/postfix-2.6.6/samples
sender_dependent_relayhost_maps = hash:/etc/postfix/relayhost_map
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
smtp_use_tls = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_helo_hostname,
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unknown_recipient_domain,
reject_unauth_pipelining, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unauth_destination,
reject_rbl_client zen.spamhaus.org, reject_rbl_client
bl.spamcop.net, reject_rbl_client 2.0.0.127.b.barracudacentral.org
smtpd_sasl_auth_enable = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_security_options = noanonymous
smtpd_sender_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender,
reject_invalid_hostname, reject_rhsbl_sender,
dsn.rfc-ignorant.org,
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/cert.pem
smtpd_tls_key_file = /etc/postfix/key.pem
smtpd_tls_loglevel = 1
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = $alias_maps, $virtual_maps,
ldap:/etc/postfix/imap-aliases.cf,
ldap:/etc/postfix/imap-groups.cf
I have set up relay maps but I don't think they work in 2.6.6 so I
am allowing all TLS client certs for the moment.
For certificates I have a self-signed ca-cert and it (and the public
key) work in OpenVPN.
Any chance of some help?
Thanks,
Nick
|
