Force "AUTH" before "MAIL FROM" command for submission port 587

Sat, 15 Mar 2014 17:54:15 -0700 

Hello,

when I run the security test on http://www.emailsecuritygrader.com, I always 
get a "-" for "AUTH Required (port 587)". To get a "+", the descriptions says: 
"Your system requires authentication (AUTH) on port 587 before the MAIL FROM 
command is issued".

Auth on port 587 seems to work fine. I can't send mails through this port, if 
not authenticated. But how do I setup, that authentication is required before 
the "MAIL FROM" command, for submission?

I use Postfix 2.6.6 shipped with RHEL 6.5 and can't upgrade to a more recent 
version yet.

Thanks for your responses.

Regards,
Karl





# postconf -n
alias_database = $alias_maps
alias_maps = hash:/etc/aliases, ldap:/etc/postfix/ldap-aliases.cf
broken_sasl_auth_clients = yes
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
default_privs = nobody
disable_dns_lookups = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/spool/mail
mailbox_transport = cyrus
masquerade_classes = envelope_sender, header_sender, header_recipient
masquerade_domains = 
masquerade_exceptions = root
mydestination = $mydomain, $myhostname, server.mydomain.tld
myhostname = server.mydomain.tld
mynetworks = 127.0.0.1/32
queue_directory = /var/spool/postfix
recipient_delimiter = +
setgid_group = postdrop
show_user_unknown_table_name = no
smtpd_banner = $myhostname ESMTP
smtpd_helo_required = no
smtpd_recipient_restrictions = check_sender_access 
hash:/etc/postfix/db/blocked-domains                         
check_client_access hash:/etc/postfix/db/no-auth-required-hosts                 
        reject_authenticated_sender_login_mismatch                             
permit_sasl_authenticated                               check_recipient_access 
hash:/etc/postfix/db/not-public-available-mailboxes            
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = 
smtpd_sasl_security_options = noanonymous
smtpd_sender_login_maps = ldap:/etc/postfix/ldap_smtpd_sender_login_maps.cf     
                        hash:/etc/postfix/db/smtpd_sender_login_maps
smtpd_tls_cert_file = /etc/postfix/cert/server.mydomain.tld.crt
smtpd_tls_eecdh_grade = strong
smtpd_tls_key_file = /etc/postfix/cert/server.mydomain.tld.key
smtpd_tls_protocols = !SSLv2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_use_tls = yes
strict_rfc821_envelopes = no
virtual_alias_maps = hash:/etc/postfix/myotherdomain.tld



master.cf:
...
submission inet n       -       n       -       -       smtpd
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_tls_auth_only=no
  -o smtpd_recipient_restrictions=reject_unauth_destination
  #-o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_enforce_tls=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o syslog_name=submit-tls



# telnet localhost 587
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 server.mydomain.tld ESMTP
ehlo test
250-server.mydomain.tld
250-PIPELINING
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from: [email protected] 
250 2.1.0 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.

Reply via email to