Re: Postfix, No SMTP AUTH when TLS is enabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/02/2010 02:58 AM, froinds J wrote:



On Sat, Jan 2, 2010 at 2:42 AM, Raman Gupta <rocketraman@xxxxxxxxxxx
<mailto:rocketraman@xxxxxxxxxxx>> wrote:

    On 01/01/2010 11:41 PM, froinds J wrote:

        Hello,
        I'm having a problem with postfix in F12.
        I used to have my email server setup with F10. My setup had TLS
        enabled (self signed certs) with SASL using
        pwcheck_method=auxprop and
        CRAM-MD5 DIGEST-MD5. I had virtual accounts.
        Everything worked great until I installed F12. It was a clean
        install.
        My issue now is the following:
        If I disable TLS, postfix works as expected. If I enable it, I
        cannot
        authenticate. Without TLS I can telnet to my server and I get
        250-AUTH
        CRAM-MD5 DIGEST-MD5


    What auxprop plugin are you using?

    Cheers,
    Raman


None. What should I use?
Froinds


I guess that depends on how your virtual users are configured.
I don't use auxprop myself -- I configure saslauthd to authenticate via pam (pwcheck_method: saslauthd). Then configure the /etc/pam.d/smtp file as desired (mine uses pam_mysql.so to authenticate virtual users against a mysql table).
However, based on the docs at http://www.postfix.org/SASL_README.html it appears that if you use auxprop, it should be configured with a plugin, like "auxprop_plugin: sql" or "auxprop_plugin: sasldb".
If you do switch to saslauthd (pam) note the following warning from the same docs:
IMPORTANT: The Cyrus SASL password verification services pwcheck and saslauthd can only support the plaintext mechanisms PLAIN or LOGIN. However, the Cyrus SASL library doesn't know this, and will happily advertise other authentication mechanisms that the SASL library implements, such as DIGEST-MD5. As a result, if a remote SMTP client chooses any mechanism other than PLAIN or LOGIN while pwcheck or saslauthd are used, authentication will fail. Thus you may need to limit the list of mechanisms advertised by the Postfix SMTP server. 

Cheers,
Raman

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux