starttls testing
in [Postfix]
|
From: Jeff Donovan on 31 Jul 2010 02:44 http://postfix.state-of-mind.de/patrick.koetter/saslfinger/ this is the result from saslfinger > smtp2:/usr/local/saslfinger-1.0.3 root# ./saslfinger -c > saslfinger - postfix Cyrus sasl configuration Fri Jul 30 13:46:42 EDT 2010 > version: 1.0.2 > mode: client-side SMTP AUTH > > -- basics -- > Postfix: 2.1.5 > System: Welcome to Darwin! > > -- smtp is linked to -- > ./saslfinger: line 1: ldd: command not found > ./saslfinger: line 1: ldd: command not found > > -- active SMTP AUTH and TLS parameters for smtp -- > No active SMTP AUTH and TLS parameters for smtp in main.cf! > SMTP AUTH can't work! > smtp2:/usr/local/saslfinger-1.0.3 root# > > -- basics -- > Postfix: 2.1.5 > System: Welcome to Darwin! > > -- smtpd is linked to -- > ./saslfinger: line 1: ldd: command not found > ./saslfinger: line 1: ldd: command not found > > -- active SMTP AUTH and TLS parameters for smtpd -- > smtpd_sasl_auth_enable = yes > smtpd_tls_cert_file = /etc/certificates/Default.crt > smtpd_tls_key_file = /etc/certificates/Default.key > smtpd_use_tls = yes > > > -- listing of /usr/lib/sasl2 -- > total 2416 > drwxr-xr-x 40 root wheel 1360 Nov 20 2008 . > drwxr-xr-x 282 root wheel 9588 Dec 8 2009 .. > -rw-r--r-- 1 root wheel 631 Mar 20 2005 apop.la > -r-xr-xr-x 1 root wheel 17496 Mar 20 2005 apop.so > -rwxr-xr-x 1 root wheel 629 Mar 20 2005 dhx.la > -r-xr-xr-x 1 root wheel 598600 Jan 30 2006 dhx.so > -rw-r--r-- 1 root wheel 653 Mar 20 2005 digestmd5WebDAV.la > -r-xr-xr-x 1 root wheel 43132 Mar 20 2005 digestmd5WebDAV.so > drwxr-xr-x 9 root wheel 306 Nov 20 2008 disabled > -r-xr-xr-x 1 root wheel 17660 Mar 20 2005 libanonymous.2.so > -rw-r--r-- 1 root wheel 694 Mar 20 2005 libanonymous.la > -r-xr-xr-x 1 root wheel 17740 Mar 20 2005 libcrammd5.2.so > -rw-r--r-- 1 root wheel 682 Mar 20 2005 libcrammd5.la > -r-xr-xr-x 1 root wheel 47228 Jan 19 2007 libdigestmd5.2.so > -rw-r--r-- 1 root wheel 703 Mar 20 2005 libdigestmd5.la > -r-xr-xr-x 1 root wheel 22688 Jan 19 2007 libgssapiv2.2.0.18.so > -r-xr-xr-x 1 root wheel 22688 Jan 19 2007 libgssapiv2.2.so > -rw-r--r-- 1 root wheel 739 Mar 20 2005 libgssapiv2.la > -r-xr-xr-x 1 root wheel 22504 Mar 20 2005 libkerberos4.2.so > -rw-r--r-- 1 root wheel 628 Mar 20 2005 liblogin.la > -rw-r--r-- 1 root wheel 637 Mar 20 2005 libntlm.la > -r-xr-xr-x 1 root wheel 30816 Mar 20 2005 libntlm.so > -r-xr-xr-x 1 root wheel 67668 Mar 20 2005 libotp.2.so > -rw-r--r-- 1 root wheel 667 Mar 20 2005 libotp.la > -r-xr-xr-x 1 root wheel 17604 Mar 20 2005 libplain.2.so > -rw-r--r-- 1 root wheel 670 Mar 20 2005 libplain.la > -r-xr-xr-x 1 root wheel 17612 Mar 20 2005 login.so > -rwxr-xr-x 1 root wheel 639 Mar 20 2005 mschapv2.la > -r-xr-xr-x 1 root wheel 22792 Mar 20 2005 mschapv2.so > drwxr-xr-x 6 root wheel 204 Nov 9 2007 openldap > -rwxr-xr-x 1 root wheel 641 Mar 25 2005 pwauxprop.la > -r-xr-xr-x 1 root wheel 53192 Dec 3 2006 pwauxprop.so > -r-xr-xr-x 1 root wheel 18580 Mar 20 2005 shadow_auxprop.so > -rwxr-xr-x 1 root wheel 635 Mar 20 2005 smb_lm.la > -r-xr-xr-x 1 root wheel 22316 Mar 20 2005 smb_lm.so > -rwxr-xr-x 1 root wheel 635 Mar 20 2005 smb_nt.la > -r-xr-xr-x 1 root wheel 22316 Mar 20 2005 smb_nt.so > -rwxr-xr-x 1 root wheel 568 Mar 20 2005 smb_ntlmv2.la > -r-xr-xr-x 1 root wheel 22616 Mar 20 2005 smb_ntlmv2.so > -r-xr-xr-x 1 root wheel 21960 Mar 20 2005 twowayrandom.so > > > > > There is no smtpd.conf that defines what SASL should do for Postfix. > SMTP AUTH can't work! > > smtp2:/usr/local/saslfinger-1.0.3 root# ./saslfinger -c > saslfinger - postfix Cyrus sasl configuration Fri Jul 30 13:46:42 EDT 2010 > version: 1.0.2 > mode: client-side SMTP AUTH > > -- basics -- > Postfix: 2.1.5 > System: Welcome to Darwin! > > -- smtp is linked to -- > ./saslfinger: line 1: ldd: command not found > ./saslfinger: line 1: ldd: command not found > > -- active SMTP AUTH and TLS parameters for smtp -- > No active SMTP AUTH and TLS parameters for smtp in main.cf! > SMTP AUTH can't work! > smtp2:/usr/local/saslfinger-1.0.3 root# > >
From: Magnus =?iso-8859-1?Q?B=E4ck?= on 31 Jul 2010 11:11 On Friday, July 30, 2010 at 19:47 CEST, donovan jeffrey j <donovan(a)beth.k12.pa.us> wrote: [...] > There is no smtpd.conf that defines what SASL should do for Postfix. > SMTP AUTH can't work! This is bad. http://www.postfix.org/SASL_README.html#server_sasl Apple has patched Postfix so you may need to read the Apple documentation. > smtp2:/usr/local/saslfinger-1.0.3 root# ./saslfinger -c > saslfinger - postfix Cyrus sasl configuration Fri Jul 30 13:46:42 EDT 2010 > version: 1.0.2 > mode: client-side SMTP AUTH I assume the previous output was for server-side SASL (which is what you're after). Never mind client-side SASL for now. [...] -- Magnus B�ck magnus(a)dsek.lth.se
From: donovan jeffrey j on 31 Jul 2010 11:46 On Jul 31, 2010, at 11:11 AM, Magnus Bäck wrote: > On Friday, July 30, 2010 at 19:47 CEST, > donovan jeffrey j <donovan(a)beth.k12.pa.us> wrote: > > [...] > >> There is no smtpd.conf that defines what SASL should do for Postfix. >> SMTP AUTH can't work! > > This is bad. > > http://www.postfix.org/SASL_README.html#server_sasl > > Apple has patched Postfix so you may need to read the Apple > documentation. > >> smtp2:/usr/local/saslfinger-1.0.3 root# ./saslfinger -c >> saslfinger - postfix Cyrus sasl configuration Fri Jul 30 13:46:42 EDT 2010 >> version: 1.0.2 >> mode: client-side SMTP AUTH > > I assume the previous output was for server-side SASL (which is what > you're after). Never mind client-side SASL for now. thanks for the reply this is an older 10.4 machine. I just tested it with a 10.4.11 I just enabled their gui for smtpd Auth the result matched my config but i recieevd the same test results; client side starttls it just sits and waits. 10.4.11 imap2:~ root# telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 imap2.beth.k12.pa.us ESMTP Postfix EHLO imap2.beth.k12.pa.us 250-imap2.beth.k12.pa.us 250-PIPELINING 250-SIZE 20971520 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME then I tested it with 10.5.8 and 10.6 map3:postfix root# telnet localhost 25 Trying ::1... telnet: connect to address ::1: Connection refused Trying fe80::1... telnet: connect to address fe80::1: Connection refused Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 220 imap3.beth.k12.pa.us ESMTP Postfix EHLO imap3.beth.k12.pa.us 250-imap3.beth.k12.pa.us 250-PIPELINING 250-SIZE 15728640 250-VRFY 250-ETRN 250-AUTH LOGIN PLAIN CRAM-MD5 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN server side. is it bad to have some clients initiate the Starttls ? -j
From: Magnus =?iso-8859-1?Q?B=E4ck?= on 31 Jul 2010 12:09 On Saturday, July 31, 2010 at 17:46 CEST, donovan jeffrey j <donovan(a)beth.k12.pa.us> wrote: > this is an older 10.4 machine. I just tested it with a 10.4.11 I just > enabled their gui for smtpd Auth > the result matched my config but i recieevd the same test results; > > client side starttls it just sits and waits. As I said in my first response, the server has given its EHLO response and is indeed waiting for a new command from the client. This is expected behaviour. > 10.4.11 > imap2:~ root# telnet localhost 25 > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 imap2.beth.k12.pa.us ESMTP Postfix > EHLO imap2.beth.k12.pa.us > 250-imap2.beth.k12.pa.us > 250-PIPELINING > 250-SIZE 20971520 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250 8BITMIME Okay, no AUTH line in the EHLO response so authentication is not supported. > > then I tested it with 10.5.8 and 10.6 > map3:postfix root# telnet localhost 25 > Trying ::1... > telnet: connect to address ::1: Connection refused > Trying fe80::1... > telnet: connect to address fe80::1: Connection refused > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 220 imap3.beth.k12.pa.us ESMTP Postfix > EHLO imap3.beth.k12.pa.us > 250-imap3.beth.k12.pa.us > 250-PIPELINING > 250-SIZE 15728640 > 250-VRFY > 250-ETRN > 250-AUTH LOGIN PLAIN CRAM-MD5 > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN This looks better; this server can authenticate clients via the LOGIN, PLAIN, and CRAM-MD5 mechanisms. Did you try to authenticate with an SMTP client? > server side. > > is it bad to have some clients initiate the Starttls ? Pardon? If it's bad to use TLS via STARTTLS? No. -- Magnus B�ck magnus(a)dsek.lth.se
From: mailing lists on 2 Aug 2010 06:25
>> imap2:~ root# telnet localhost 25 >> Trying ::1... >> telnet: connect to address ::1: Connection refused >> Trying 127.0.0.1... >> Connected to localhost. >> Escape character is '^]'. >> 220 imap2.beth.k12.pa.us ESMTP Postfix >> EHLO imap2.beth.k12.pa.us >> 250-imap2.beth.k12.pa.us >> 250-PIPELINING >> 250-SIZE 20971520 >> 250-VRFY >> 250-ETRN >> 250-STARTTLS >> 250 8BITMIME >Okay, no AUTH line in the EHLO response so authentication is not >supported. Perphaps you can try the postfix version in darwinports: http://postfix.darwinports.com/ It has support for postfix (2.6.x) with the following variants: add pcre support add tls support via openssl add sasl support via cyrus-sasl2 add ldap support via openldap add mysql support via mysql5 add postgresql support via postgresql83 add Dovecot SASL support Regards |