Bug#169394: marked as done (postfix-tls: configuration information you requested)

Fri, 29 Jul 2016 19:33:43 -0700 

Your message dated Fri, 29 Jul 2016 22:29:42 -0400
with message-id <1615225.j8LHGnomFI@kitterma-e6430>
and subject line Re: postfix-tls: configuration information you requested
has caused the Debian Bug report #169394,
regarding postfix-tls: configuration information you requested
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
169394: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=169394
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: postfix-tls
Version: 1.1.11+tls0.7.15-0.woody1
Severity: wishlist

Lamont, here's a HOWTO describing how to (sic!) configure postfix-tls to
permit relaying of email from remote users who successfully
authenticate.

Step 1:  configure master.cf
----------------------------
<snip>
# listen on port 25 (smtp) and offer SASL authentication if TLS is negotiated
smtp      inet  n       -       n       -       -       smtpd -o 
smtpd_sasl_auth_enable=yes [-o smtpd_use_tls=yes -o smtpd_tls_auth_only=yes]
# listen on port 465 (smtps) and offer SASL authentication
smtps     inet  n       -       n       -       -       smtpd -o 
smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes [-o smtpd_use_tls=yes 
-o smtpd_tls_auth_only=yes]
# listen on port 587 (RFC 2476) and offer SASL authentication
587       inet  n       -       n       -       -       smtpd -o 
smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes [-o smtpd_use_tls=yes -o 
smtpd_tls_auth_only=yes]
</snip>

These two options can be in main.cf instead.
-o smtpd_use_tls=yes          : enable ssl
-o smtpd_tls_auth_only=yes    : offer sasl authenticaion over TLS/SSL only
                                (VERY IMPORTANT SETTING - want encryption)

NB: I run smtpd for (stmp,stmps,587) outside the chroot so that they have
access to the pam modules, including pam-ldap.so, and the associated
configuration files.

Step 2: configure main.cf
-------------------------
<snip>
## authenticating users
# by default, disable smtpd_sasl_auth_enable
smtpd_sasl_auth_enable       = no
# support broken MS clients
broken_sasl_auth_clients     = yes
# offer authentication services over TLS/SSL connections only (very important)
smtpd_tls_auth_only          = yes
smtpd_use_tls                = yes
smtpd_tls_cert_file          = /etc/mail/mail.example.com.crt
smtpd_tls_key_file           = /etc/mail/mail.example.com.key
smtpd_tls_CAfile             = /etc/mail/CA.example.com.crt

## receiving mail
# 'permit_sasl_authenticated' = permit sasl authenticated users to relay
#                               mail through this mail server
smtpd_recipient_restrictions = permit_mynetworks permit_sasl_authenticated 
check_relay_domains
</snip>

Step 3: create the ssl/tls certificate files
--------------------------------------------
Left as an exercise for the system administrator... you could use the snakeoil
certs from apache or something.  If you want more detailed instructions,
Lamont, let me know.  Don't forget the CA cert.

Step 4: configure sasl/smtpd.conf
---------------------------------
# sasl configuration file for postfix
# could be one of:
# - passwd      : use /etc/passwd via getpwnam calls (affected by nsswitch.conf)
# - shadow      : use /etc/shadow via getpwnam calls (affected by nsswitch.conf)
#                (add euid to shadow group? - yes)
# - sia         : for Digital Unix
# - kerberos_v4 :
# - pam         : use PAM mechanism
#                (add euid to shadow group? - yes if need /etc/shadow access)
# - sasldb      : use SASL secrets database
# - pwcheck     : use separate helper daemon
#                 (see /usr/share/doc/libsasl7/README.pwcheck)
pwcheck_method: pam

As mentioned previously, there's a chroot issue...

And that's it.  The hardest part, really, is the SSL cert...

Luca


-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux postoffice 2.4.19-pre5-ac3-postoffice #1 Sat Apr 13 09:14:54 PDT 
2002 i686
Locale: LANG=en_US, LC_CTYPE=en_US

Versions of packages postfix-tls depends on:
ii  debconf                  1.2.14          Debian configuration management sy
ii  libc6                    2.2.5-14.3      GNU C Library: Shared libraries an
ii  libdb3                   3.2.9-17        Berkeley v3 Database Libraries [ru
ii  libgdbmg1                1.7.3-27.1      GNU dbm database routines (runtime
ii  libsasl7                 1.5.27-3.3      Authentication abstraction library
ii  libssl0.9.6              0.9.6g-6        SSL shared libraries
hi  postfix                  1.1.11-0.woody2 A high-performance mail transport

--- End Message ---
--- Begin Message --- 
On Sat, 16 Nov 2002 14:22:28 -0800 Luca Filipozzi <[email protected]> wrote:
> Package: postfix-tls
> Version: 1.1.11+tls0.7.15-0.woody1
> Severity: wishlist
> 
> Lamont, here's a HOWTO describing how to (sic!) configure postfix-tls to
> permit relaying of email from remote users who successfully
> authenticate.
> 
...

I don't believe there is anything left to do on this bug.

Scott K

--- End Message ---

Reply via email to