Re: 3.3.0 -> 3.3.2 and sasl error

Sat, 16 Feb 2019 13:14:29 -0800 

On 16 Feb 2019, at 15:46, Andrey Repin wrote:


Greetings, sashk!



Hello Patrick,



Thanks for the response.
The other side offers PLAIN LOGIN, but your smtp client doesn't like that because those are mechanisms which send identification data in clear (read: 
unencrypted). That's because you have this (default) in place:

smtp_sasl_security_options = noplaintext, noanonymous

Either you make sure your smtp client uses TLS, while it attempts to
authenticate or you lower the security policy and configure your smtp client 
to permit PLAIN and/or LOGIN like this:

smtp_sasl_security_options = noanonymous



I have tried this option as well, and it did not address the issue.
Perhaps I should have included full log (see bellow), but the SMTP server won't even advertise AUTH until client starts using TLS as remote server has following in it's master.cf: 


submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt


This is NOT right.


You are confused. That is quite right, or at a very good idea.


submission (port 587/tcp) is a plan connection. Unencrypted.
Initially, yes. However, it is entirely reasonable to reject all mail on port 587 until the client has established a TLS session and authenticated. The RFC for submission encourages that behavior.
You should use default "may" here and leave "encrypt" for submissions (port 
465/tcp).
No. Port 465 (originally non-standard smtps and now revived as submissions) requires "wrappermode" to allow clients to initiate TLS immediately at connect time, rather than requiring a STARTTLS command in-protocol.
Here's an example of a longtime working configuration of the 2 submission instances of smtpd: 


submission inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/submit
    -o smtpd_tls_security_level=encrypt
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING
smtps      inet  n       -       n       -       -       smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
    -o milter_macro_daemon_name=ORIGINATING-TLS




--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole

Reply via email to