Sandy Drobic wrote:
Just a little question. In your config below I see two possibilities to
authenticate: either by using conventional user/pass or by using a client
certificate.
Which one are you trying to implement?
Hadn't realised there were two here. I'd like the most secure and least
likely to allow someone else access to my server! (BTW I'm using Courier
IMAP having set most of this up by working through 'Linux Email' by
several authors including Patrick Koetter. My TLS certificate was built
based on Chapter 13 of Kyle Dent's O'Reilly publication, 'Postfix - the
definitive guide. It wouldn't surprise me if I've gotten into a muddle
trying to work between these books and the readme files with Postfix
itself!)
Did you test both of them?
postconf output follows:
broken_sasl_auth_clients = yes
mynetworks = 127.0.0.0/8, 192.168.74.0/24, 192.168.80.0/24, 10.0.0.0/24
relay_clientcerts = hash:/etc/postfix/relay_ccerts
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, permit_tls_clientcerts,
reject_unauth_destination
smtpd_sasl_application_name = smtpd
smtpd_sasl_auth_enable = no
Er, hello?!? If you want to use smtp auth you need to set this to "yes"!
smtpd_sasl_auth_enable = yes
Er yes! - see below
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_CAfile = /Certificates/ssl/Authority/CA.crt
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file =
/Certificates/ssl/Certificate/PostOffice.DMJ-Consultancy.me.uk.unc
smtpd_tls_key_file =
/Certificates/ssl/Key/PostOffice.DMJ-Consultancy.me.uk.unc
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = yes
smtpd_use_tls = yes
The rest looks fine. If you are trying to use client certs, did you put
the client cert on your phone? I don't remember seeing a line in the tls
log where the client (your phone) is presenting a client certificate.
The phone has a PKCS12 format key and trusted certificate, the
fingerprint of which is the only entry in relay_ccerts alongside my
forename as user. This key-and-relay_ccerts-fingerprint set was
generated by openssl but I'm hesitant about posting a key on this list.
If you can't get saslfinger to work, please show the output of the last
line of this command (the capabilities of your server after a tls
connection has been established and the ehlo command is invoked.
openssl s_client -starttls smtp -connect localhost:25
see below (sensitive info cut - hopefully!)
ehlo localhost
Please also post the content of /usr/lib/sasl2/smtpd.conf.
pwcheck_method: saslauthd
log_level: 3
mech_list: PLAIN LOGIN
If you are trying to use client certificates for authentication please
also post the content of /etc/postfix/relay_ccerts and verify that it is
indeed the fingerprint of your client certificate.
depth=1 /C=UK/ST=H?/L=P?/O=DMJ
Consultancy/CN=DMJ-Consultancy/[EMAIL PROTECTED]
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=UK/ST=H?/L=P?/O=DMJ
Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/[EMAIL PROTECTED]
i:/C=UK/ST=H?/L=P?/O=DMJ
Consultancy/CN=DMJ-Consultancy/[EMAIL PROTECTED]
1 s:/C=UK/ST=H?/L=P?/O=DMJ
Consultancy/CN=DMJ-Consultancy/[EMAIL PROTECTED]
i:/C=UK/ST=H?/L=P?/O=DMJ
Consultancy/CN=DMJ-Consultancy/[EMAIL PROTECTED]
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDVDCCAr2gAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMCVUsx
.......................................
qIRGNhhaclu7lwdDEtpNP2skqcz5VLVVcgwb3eM4TJ01yXFx8ZD8Pw==
-----END CERTIFICATE-----
subject=/C=UK/ST=H?/L=P?/O=DMJ
Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/[EMAIL PROTECTED]
issuer=/C=UK/ST=H?/L=P?/O=DMJ
Consultancy/CN=DMJ-Consultancy/[EMAIL PROTECTED]
---
Acceptable client certificate CA names
/C=UK/ST=H?/L=P?/O=DMJ
Consultancy/CN=DMJ-Consultancy/[EMAIL PROTECTED]
---
SSL handshake has read 2500 bytes and written 383 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-A?6-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-A?6-SHA
Session-ID:
8872A2FA0F712B2BC2CFA301BE17D648944093293F266D209236F36579B2718D
Session-ID-ctx:
Master-Key:
8D133580FA......................................345B932674871F1
Key-Arg : None
Start Time: 1190157431
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
---
250-General.DMJ-Consultancy.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250 8BITMIME
ehlo localhost
250-General.DMJ-Consultancy.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250 8BITMIME
500 Error: bad syntax
Above was with smtpd_sasl_auth_enable = no
Setting it to yes and reloading gives
read:errno=32
to the openssl command above
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
