On 1/16/2017 12:04 AM, David Mehler wrote: > Hello, > > I'm running Postfix 3.1. A telnet connection to port 25 and another to > port 587, does not announce the sasl auth capabilities.
> smtpd_tls_auth_only = yes http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only ... "do not announce or accept SASL authentication over unencrypted connections" -- Noel Jones > > I'd appreciate a sanity check of my configuration done with postconf -n. > > Thanks. > Dave. > > autoresponder_destination_recipient_limit = 1 > biff = no > bounce_template_file = /usr/local/etc/postfix/bounce.cf > broken_sasl_auth_clients = no > command_directory = /usr/local/sbin > compatibility_level = 9999 > daemon_directory = /usr/local/libexec/postfix > data_directory = /var/db/postfix > disable_vrfy_command = yes > dovecot_destination_recipient_limit = 1 > hash_queue_depth = 2 > hash_queue_names = incoming, hold defer deferred > header_checks = pcre:/usr/local/etc/postfix/header_checks, > regexp:/usr/local/etc/postfix/phish419.regexp > html_directory = no > in_flow_delay = 1s > inet_interfaces = xxx.xxx.xxx.xxx, 127.0.0.1 > inet_protocols = ipv4 > local_recipient_maps = > mail_owner = postfix > mailq_path = /usr/local/bin/mailq > manpage_directory = /usr/local/man > meta_directory = /usr/local/libexec/postfix > milter_default_action = accept > milter_protocol = 6 > mime_header_checks = regexp:/usr/local/etc/postfix/mime_header_checks > mydestination = localhost > mydomain = example.com > myhostname = mail.example.com > mynetworks = 127.0.0.0/8, xxx.xxx.xxx.xxx/32 > myorigin = $mydomain > newaliases_path = /usr/local/bin/newaliases > non_smtpd_milters = $smtpd_milters > postscreen_access_list = permit_mynetworks, > cidr:/usr/local/etc/postfix/postscreen_access.cidr, > cidr:/usr/local/etc/postfix/postscreen_spf_whitelist.cidr > postscreen_blacklist_action = drop > postscreen_cache_cleanup_interval = 0 > postscreen_cache_map = proxy:btree:${data_directory}/postscreen_cache > postscreen_dnsbl_action = enforce > postscreen_dnsbl_reply_map = > pcre:/usr/local/etc/postfix/postscreen_dnsbl_reply_map.pcre > postscreen_dnsbl_sites = zen.spamhaus.org*3 b.barracudacentral.org*2 > bl.spameatingmonkey.net*2 dnsbl.ahbl.org*2 bl.spamcop.net > dnsbl.sorbs.net psbl.surriel.com bl.mailspike.net swl.spamhaus.org*-4 > list.dnswl.org=127.[0..255].[0..255].0*-2 > list.dnswl.org=127.[0..255].[0..255].1*-3 > list.dnswl.org=127.[0..255].[0..255].[2..255]*-4 > postscreen_dnsbl_threshold = 3 > postscreen_greet_action = enforce > queue_directory = /var/spool/postfix > readme_directory = no > recipient_delimiter = + > sample_directory = /usr/local/etc/postfix > sendmail_path = /usr/local/sbin/sendmail > setgid_group = maildrop > shlib_directory = /usr/local/lib/postfix > show_user_unknown_table_name = no > smtp_helo_timeout = 60s > smtpd_banner = $myhostname ESMTP > smtpd_data_restrictions = reject_unauth_pipelining > smtpd_helo_required = yes > smtpd_milters = inet:127.0.0.1:8891 > smtpd_recipient_restrictions = permit_mynetworks > permit_sasl_authenticated reject_unauth_destination > check_sender_access hash:/usr/local/etc/postfix/safe_addresses > check_sender_access hash:/usr/local/etc/postfix/auto-whtlst > check_client_access cidr:/usr/local/etc/postfix/spamfarms > check_client_access cidr:/usr/local/etc/postfix/sinokorea.cidr > permit_dnswl_client list.dnswl.org=127.0.[2..14].[1..3] > check_reverse_client_hostname_access > pcre:/usr/local/etc/postfix/fqrdns.pcre > reject_unknown_reverse_client_hostname reject_non_fqdn_sender > reject_non_fqdn_helo_hostname reject_invalid_helo_hostname > reject_unknown_helo_hostname reject_unlisted_recipient > reject_rbl_client b.barracudacentral.org reject_rbl_client > zen.spamhaus.org reject_rbl_client psbl.surriel.com reject_rbl_client > bl.spamcop.net reject_rbl_client cbl.abuseat.org reject_rhsbl_client > dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org > reject_rhsbl_helo dbl.spamhaus.org check_policy_service > unix:private/spf-policy check_policy_service inet:127.0.0.1:12345 > smtpd_reject_unlisted_sender = yes > smtpd_sasl_auth_enable = yes > smtpd_sasl_local_domain = $mydomain > smtpd_sasl_path = private/auth > smtpd_sasl_security_options = noanonymous > smtpd_sasl_tls_security_options = noanonymous > smtpd_sasl_type = dovecot > smtpd_soft_error_limit = 3 > smtpd_tls_CAfile = /etc/ssl/certs/cacert.crt > smtpd_tls_auth_only = yes > smtpd_tls_cert_file = /etc/ssl/certs/server.crt > smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem > smtpd_tls_dh512_param_file = ${config_directory}/dh512.pem > smtpd_tls_eecdh_grade = strong > smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, > aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDB3-SHA, KRB5-DES, CBC3-SHA > smtpd_tls_key_file = /etc/ssl/private/server.key > smtpd_tls_loglevel = 1 > smtpd_tls_mandatory_ciphers = medium > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_protocols = !SSLv2, !SSLv3 > smtpd_tls_received_header = yes > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache > smtpd_use_tls = yes > smtputf8_enable = no > soft_bounce = no > spf-policy_time_limit = 3600s > strict_rfc821_envelopes = yes > tls_preempt_cipherlist = yes > unknown_address_reject_code = 554 > unknown_client_reject_code = 554 > unknown_hostname_reject_code = 554 > unknown_local_recipient_reject_code = 550 > virtual_alias_maps = > proxy:mysql:/usr/local/etc/postfix/mysql-virtual-alias-maps.cf, > proxy:mysql:/usr/local/etc/postfix/mysql-virtual-email2email.cf > virtual_gid_maps = static:999 > virtual_mailbox_base = /home/vmail > virtual_mailbox_domains = > proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-domains.cf > virtual_mailbox_limit = 262144000 > virtual_mailbox_maps = > proxy:mysql:/usr/local/etc/postfix/mysql-virtual-mailbox-maps.cf > virtual_minimum_uid = 999 > virtual_transport = dovecot > virtual_uid_maps = static:999 >
