On 27/09/17 20:35, Thomas Bauer wrote:> service auth { > inet_listener{ > address=192.0.0.1 > port=10001 > ssl=yes > } > }ssl=yes is not documented to work for the auth service and it's highly likely that it is simply ignored.> -o smtpd_tls_security_level=encryptThis definitely does not do what you think it does. This setting is for the smtpd server, not the SASL client. It will enforce TLS between the MUA (email client) and postfix. It does not affect the connection between postfix and the dovecot SASL server at all. The only way to encrypt the connection between postfix and dovecot SASL is to use a tunnel. Peter -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 490 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20170927/56d62ecf/attachment.sig>
On 27.09.2017 13:21, Peter wrote:> On 27/09/17 20:35, Thomas Bauer wrote: >> service auth { >> inet_listener{ >> address=192.0.0.1 >> port=10001 >> ssl=yes >> } >> } > ssl=yes is not documented to work for the auth service and it's highly > likely that it is simply ignored.It is documented for inet_listener's in general and is not ignored. Any dovecot inet_listener can be given this flag. You could use stunnel on the other end. Aki
On 28/09/17 00:11, Aki Tuomi wrote:>> ssl=yes is not documented to work for the auth service and it's highly >> likely that it is simply ignored. > > It is documented for inet_listener's in general and is not ignored. Any > dovecot inet_listener can be given this flag. > > You could use stunnel on the other end.Does it turn the auth socket into a direct TLS connection, or is there a STARTTLS implementation for it? Peter
* Aki Tuomi <aki.tuomi at dovecot.fi>:> > > On 27.09.2017 13:21, Peter wrote: > > On 27/09/17 20:35, Thomas Bauer wrote: > >> service auth { > >> inet_listener{ > >> address=192.0.0.1 > >> port=10001 > >> ssl=yes > >> } > >> } > > ssl=yes is not documented to work for the auth service and it's highly > > likely that it is simply ignored. > > It is documented for inet_listener's in general and is not ignored. Any > dovecot inet_listener can be given this flag.However AFAIK Postfix does not honor an SSL encrypted layer for SASL auth.> You could use stunnel on the other end.That's what we usually do. p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein