Exempting localhost from STARTTLS
in [Postfix]
|
From: Gerard on 9 Sep 2009 15:19 I use fetchmail to harvest mail from a couple of accounts. I added this to the main.cf file and fetchmail stopped delivering mail. smtpd_tls_security_level = encrypt This was the error message: fetchmail: SMTP error: 530 5.7.0 Must issue a STARTTLS command first fetchmail: SMTP server requires STARTTLS, keeping message. fetchmail: not flushed I then added this to the main.cf file: smtpd_sasl_exceptions_networks = localhost I thought that would correct the problem; however, it doesn't. Mail from the regular users on the network is delivered to the server's IP: 192.168.1.103 Is there any way I can get this to work? ~ $ postconf -n alias_database = hash:/usr/local/etc/postfix/aliases alias_maps = hash:/usr/local/etc/postfix/aliases broken_sasl_auth_clients = yes command_directory = /usr/local/sbin config_directory = /usr/local/etc/postfix daemon_directory = /usr/local/libexec/postfix data_directory = /var/db/postfix debug_peer_level = 2 delay_warning_time = 2h html_directory = no inet_interfaces = all mail_owner = postfix mail_spool_directory = /var/mail mailq_path = /usr/local/bin/mailq manpage_directory = /usr/local/man milter_default_action = accept mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain mydomain = seibercom.net mynetworks_style = subnet myorigin = $mydomain newaliases_path = /usr/local/bin/newaliases queue_directory = /var/spool/postfix readme_directory = no sample_directory = /usr/local/etc/postfix sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous smtp_sasl_type = cyrus smtp_sender_dependent_authentication = yes smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem smtp_tls_CApath = /usr/local/etc/postfix/certs smtp_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem smtp_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem smtp_tls_loglevel = 2 smtp_tls_note_starttls_offer = yes smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache smtpd_authorized_verp_clients = $mynetworks smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_milters = unix:/var/run/clamav/clmilter.sock smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = yes smtpd_sasl_local_domain = $myhostname smtpd_sasl_path = smtpd smtpd_sasl_security_options = noanonymous smtpd_sasl_tls_security_options = noanonymous smtpd_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem smtpd_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem smtpd_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_tls_session_cache tls_random_source = dev:/dev/urandom transport_maps = hash:/usr/local/etc/postfix/transport unknown_local_recipient_reject_code = 550 -- Gerard postfix.user(a)yahoo.com TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Some of the things that live the longest in peoples' memories never really happened.
From: Wietse Venema on 9 Sep 2009 15:30 Gerard: > I use fetchmail to harvest mail from a couple of accounts. I added this > to the main.cf file and fetchmail stopped delivering mail. > > smtpd_tls_security_level = encrypt > > This was the error message: > > fetchmail: SMTP error: 530 5.7.0 Must issue a STARTTLS command first > fetchmail: SMTP server requires STARTTLS, keeping message. /etc/postfix/master.cf: 192.168.1.1:smtp inet n - - - - smtpd 127.0.0.1:smtp inet n - - - - smtpd -o smtpd_tls_security_level=may > I then added this to the main.cf file: > > smtpd_sasl_exceptions_networks = localhost That controls SASL not TLS. Wietse
From: Victor Duchovni on 9 Sep 2009 15:31 On Wed, Sep 09, 2009 at 03:19:11PM -0400, Gerard wrote: > I use fetchmail to harvest mail from a couple of accounts. I added this > to the main.cf file and fetchmail stopped delivering mail. > > smtpd_tls_security_level = encrypt This requires all clients to use SSL/TLS. > I then added this to the main.cf file: > > smtpd_sasl_exceptions_networks = localhost This suppresses SASL authentication for local hosts, but SASL is not SSL. > I thought that would correct the problem; however, it doesn't. Mail > from the regular users on the network is delivered to the server's IP: > 192.168.1.103 > > Is there any way I can get this to work? Try: smtpd_tls_security_level = may and if you want to insist that some clients use SSL/TLS, do so via "reject_plaintext_session" after permitting clients that don't need to use SSL/TLS: http://www.postfix.org/postconf.5.html#reject_plaintext_session For example: smtpd_client_restrictions = permit_inet_interfaces, reject_plaintext_session -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: Geert Hendrickx on 10 Sep 2009 05:20 On Wed, Sep 09, 2009 at 03:19:11PM -0400, Gerard wrote: > I use fetchmail to harvest mail from a couple of accounts. I added > this to the main.cf file and fetchmail stopped delivering mail. Do you actually need fetchmail to deliver mail via smtp? If you don't need special handling by postfix and just want to drop the messages into your mailbox, you could just as well deliver directly via procmail, dovecot deliver or any other LDA. Or use Postfix' sendmail command line interface. Just add "mda /path/do/delivry/program" to your .fetchmailrc. Geert -- Geert Hendrickx -=- ghen(a)telenet.be -=- PGP: 0xC4BB9E9F This e-mail was composed using 100% recycled spam messages!
From: Gerard on 10 Sep 2009 06:17
On Thu, 10 Sep 2009 11:20:28 +0200 Geert Hendrickx <ghen(a)telenet.be> wrote: > On Wed, Sep 09, 2009 at 03:19:11PM -0400, Gerard wrote: > > I use fetchmail to harvest mail from a couple of accounts. I added > > this to the main.cf file and fetchmail stopped delivering mail. > > Do you actually need fetchmail to deliver mail via smtp? If you don't > need special handling by postfix and just want to drop the messages > into your mailbox, you could just as well deliver directly via > procmail, dovecot deliver or any other LDA. Or use Postfix' sendmail > command line interface. > > Just add "mda /path/do/delivry/program" to your .fetchmailrc. Well, for one thing, I wouldn't use Procmail if you paid me. (Well, maybe a lot of money anyway). Second, not all mail is received via Fetchmail. Third, it is not my system. However, it does use clamav-milter with Postfix. Wouldn't delivering directly Dovecot by pass virus scanning? -- Gerard postfix.user(a)yahoo.com TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html Barth's Distinction: There are two types of people: those who divide people into two types, and those who don't. |