Victor Duchovni wrote:
On Thu, Jul 24, 2008 at 11:00:32PM -0500, Noel Jones wrote:
But it still accepts anonymous logins:
postfix/smtpd[29015]: Anonymous TLS connection established
and the delivery goes through.
Hold on a minute... Anonymous TLS connection does *not* imply
anonymous SASL authentication. Anonymous TLS is normal and
expected; it just says your client doesn't have it's own
security certificate.
More specifically, the cipher-suite selected by the client and server
does not make use of any certificates. The client was not interested
in authenticating the server, offered anonymous TLS ciphers, and the
server accepted this. Nothing wrong with this.
$ openssl ciphers -v 'ALL+aNULL:!EXPORT:@STRENGTH'
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
The most frequently used cipher in this context with OpenSSL 0.9.[78]
is ADH-AES256-SHA.
well, the important point is that "Anonymous TLS connection
established" has nothing at all to do with the sasl login
method...
Rich, in your logs, look for lines similar to:
Jul 24 23:00:35 mgate2 postfix/smtpd[71550]: 77EB4797884:
client=unknown[10.15.2.21], sasl_method=PLAIN,
sasl_username=michael
As long as the sasl_method is PLAIN, LOGIN, ... anything but
"anonymous", you're OK.
--
Noel Jones
