Hello Viktor,
thanks very much for your reply. I still may have some understanding issues:
Am 05.07.23 um 16:22 schrieb Viktor Dukhovni via Postfix-users:
On Wed, Jul 05, 2023 at 02:42:54PM +0200, Ede Wolf via Postfix-users wrote:
I am having a weired issue. My provider for the relayhost switched to
SSL - which is fine by itself - but that also changed the authentication
scheme.
What SASL mechanism was used before that?
Frankly, I do not know, it just worked with the posted configuration.
So most likely switching from, say, CRAM-MD5 or similar to PLAIN is
likely progress. As is enabling TLS, regardless of whether the SASL
mechanism is challenge-response based.
Thanks for the heads up. According to the support, they now do store the
hash.
So now I am wondering, wether or how this could be accomplished with
postfix?
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:$meta_directory/smtp_auth
smtp_sasl_security_options =
#smtp_sasl_security_options = noanonymous
But I am not sure, how to convert this into simple plain text auth.
Google advised to leave the smtp_sasl_security_options
empty, but that did not do the trick.
That's not quite the whole story, the relevant documented defaults are:
smtp_sasl_security_options (default: noplaintext, noanonymous)
smtp_sasl_tls_security_options (default: $smtp_sasl_security_options)
smtp_sasl_tls_verified_security_options (default:
$smtp_sasl_tls_security_options)
But you need at least the last of these to admit "plaintext" (i.e. not
specify "noplaintext"). The correct (security-minded) configuration is:
# smtp_sasl_security_options = noplaintext noanonymous
# smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = noanonymous
Not sure I am understanding this correctly. While commented out in my
above example, I have been using:
smtp_sasl_security_options = noanonymous
before, and it did not work, that is why I removed the noanonymous.
However, now I have tried both:
smtp_sasl_tls_verified_security_options = noanonymous
and:
smtp_sasl_tls_security_options = noanonymous
and all three of them. Again, I do not comprehend, how noanymous forces
PLAIN.
Anyway, there is no difference at all, mail is being rejected.
Generally, while of course TLS should be used with plain passwords,
those are two different things, aren't they? Establishing an encrypted
connection is one thing, after the connection has been established,
sending the password is another. As fas as I can see, I am not having
connection issues.
Use a custom "default_transport" with an explicit "nexthop" relay,
instead of just "relayhost". This makes it possible to specify
appropriate TLS policy settings without resorting to a TLS policy table.
main.cf:
# Possibly with a ":port" suffix
default_transport = isprelay:[smtp.provider.net]
master.cf:
# Note, no chroot!
isprelay unix - - n - - smtp
-o { smtp_tls_security_level = secure }
-o { smtp_tls_CAfile = /etc/postfix/ispcas.pem }
The "ispcas.pem" file (or pick another pathname) can list just the CAs
you trust and expect to issue the ISPs certificate (ideally less than
the entire browser CA/B forum CA "bundle").
What advantages may this have to simply specifying:
smtp_tls_security_level = encrypt
in the main.cf, which I already do have?
As mentioned before, I do not seem to have connection issues:
Jul 5 21:24:32 mail.info postfix/smtp[5484]: B70A010F2CE:
to=<testm...@example.de>, relay=smtp.worldserver.net[217.13.200.36]:587,
delay=270, delays=267/0.02/2.5/0, dsn=4.7.8, status=deferred (SASL
authentication failed; server smtp.worldserver.net[217.13.200.
So we are already past the handshake, just the way the password is
presented to the server does not get accepted.
The Server advertises:
EHLO nebelschwaden.de
....
00d0 - 90 ee e2 1b 4b
250-mail.worldserver.net
250-PIPELINING
250-SIZE 71303168
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5
250-AUTH=PLAIN LOGIN CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 CHUNKING
The problem here is, that the annoucement of CRAM-MD5 is false. While it
still does work for older accounts, it does not any more not for newly
created or somehow modified older ones.
Also, with an old account I can send mails via thunderbird with
"password encrypted", while this does not work any more with a newly
created account, where I have to use TLS and "password, transmitted
insecurely"
So probably, to answer your initial question, I do suppose I have been
using cram-md5 until now. Now I need to force (not just admit) plain
and, unless I have missed something, the smtp_tls* settings are not enough.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
