smtp auth over ssl for smartrelay configuration
in [Postfix]
|
From: Jelle de Jong on 23 Jan 2010 08:26 Hello everybody, I got a hole set >20 of Debian systems connected to mobile broadband internet. They are behind a NAT of with dynamic ip's. I want these systems to be able to sent emails to my server for all kind of reasons like monitoring, security updates etcetera. I want to use postfix to authorise to my secured SMTP server to be able to deliver mail. The authorisation should be like the one's used on my MTA's like Mozilla Thunderbird with SMTP authorisation. Configuration option I made up: authuser=username(a)powercraft.nl authpass=password authmethod=plain mailhub=secure.powercraft.nl:465 usessl=true Can somebody show me an example how to setup up a simple outgoing only email configuration that uses SMTP AUTH over SSL? Thanks in advance, Kind regards, Jelle
From: Wietse Venema on 23 Jan 2010 08:41 Jelle de Jong: > Hello everybody, > > I got a hole set >20 of Debian systems connected to mobile broadband > internet. They are behind a NAT of with dynamic ip's. > > I want these systems to be able to sent emails to my server for all > kind of reasons like monitoring, security updates etcetera. > > I want to use postfix to authorise to my secured SMTP server to be > able to deliver mail. The authorisation should be like the one's used > on my MTA's like Mozilla Thunderbird with SMTP authorisation. > > Configuration option I made up: > > authuser=username(a)powercraft.nl > authpass=password > authmethod=plain > mailhub=secure.powercraft.nl:465 > usessl=true > > Can somebody show me an example how to setup up a simple outgoing only > email configuration that uses SMTP AUTH over SSL? Postfix SASL: http://www.postfix.org/SASL_README.html Postfix TLS: http://www.postfix.org/TLS_README.html These are organized in client and server sections, with examples. There is no need to repeat this information on the mailing list. Wietse
From: Jelle de Jong on 23 Jan 2010 11:31 Wietse Venema wrote, on 23-01-10 14:41: > Jelle de Jong: >> Can somebody show me an example how to setup up a simple outgoing only >> email configuration that uses SMTP AUTH over SSL? > > Postfix SASL: http://www.postfix.org/SASL_README.html > Postfix TLS: http://www.postfix.org/TLS_README.html > > These are organized in client and server sections, with examples. > There is no need to repeat this information on the mailing list. Thank you Wietse for your fast response, seems the answer was so obvious and I should have found it with some internet searching. However it took me a good number of hours to get it actually working. There for I am writing down some pointers here so other people may find them in the mailinglist archives. I used Debian stable to install postfix with: apt-get install postfix ca-certificates # no configuration or satellite I received the following errors in my configuration: # (SASL authentication failed; cannot authenticate to server secure.powercraft.nl[84.245.3.195]: no mechanism available) Seemed the configuration was fine but I was missing the actual libaries. So I installed: apt-get install libsasl2-modules Next pointer, for plain auth over ssl use the folllowing: postconf -e 'smtp_sasl_auth_enable = yes' postconf -e 'smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd' postconf -e 'smtp_sasl_tls_security_options = noanonymous' postconf -e 'smtp_tls_security_level = encrypt' postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' On the server side use: smtpd_sender_restrictions = permit_sasl_authenticated, ... I still had one question of my own: I seem to be only able to use port 25 with postfix, my icedove mta uses secure.powercraft.nl:465 with ssl, but I cant get that to work with postfix. It will just generate an time-out after the connection. Port 25 is subjected to blocks and filters on a increasing number of networks, so I like to keep using other ports. If somebody found an solution for this, I would be happy to use it. Hope that helps some people :) Kind regards, Jelle
From: Michael Orlitzky on 23 Jan 2010 14:20 Jelle de Jong wrote: > Victor Duchovni wrote, on 23-01-10 17:48: >> On Sat, Jan 23, 2010 at 05:31:47PM +0100, Jelle de Jong wrote: >> >>> postconf -e 'smtp_tls_security_level = encrypt' >> Is this SMTP client going to send all mail to a small set of TLS enabled >> relay hosts? Or are you choosing to not be able to send any email to >> the vast majority of domains whose MX hosts don't offer TLS? > > The system is a satellite system that is only sending mail to one > secure mail server, the mailrelay is only affable for smtp auth over > ssl. the hostname of the sender will fail every sane check if it sent > to other machines, because it has no fixed ip, and is behind a series > of nat's. > >>> postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' >> Why disable both SSLv2 and TLSv1?! Leave this setting at its default >> value, or disable just SSLv2. Does your client or server correctly handle >> SSLv3, but fail to interoperate via TLSv1? > > Well my server supports SSLv3 just fine, so I thought I disable > everything lower, and if better protocols come around postfix will > update and will still be able to use the newer stuff since I did not > force it to only use SSLv3. TLSv1 is newer stuff.
From: Victor Duchovni on 23 Jan 2010 14:27
On Sat, Jan 23, 2010 at 05:59:37PM +0100, Jelle de Jong wrote: > >> postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' > > > > Why disable both SSLv2 and TLSv1?! Leave this setting at its default > > value, or disable just SSLv2. Does your client or server correctly handle > > SSLv3, but fail to interoperate via TLSv1? > > Well my server supports SSLv3 just fine, so I thought I disable > everything lower, and if better protocols come around postfix will > update and will still be able to use the newer stuff since I did not > force it to only use SSLv3. The default settings for advanced TLS features were chosen with care. It is unwise to change them unless you are a TLS expert. TLSv 1.0 is SSL 3.1. TLS 1.1 is SSL 3.2, ... There is no plan for TLSv2 at this time, but it would be SSL version 4. Don't change advanced TLS settings until you have read the relevant OpenSSL documentation and/or RFCs and in some cases the OpenSSL source code (sadly OpenSSL documentation is not as complete as the Postfix documentation). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly. |