search for: smtpd_tls_security_level

Hi List, I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP. From the localhost when I do an EHLO, following is the output [root at xxxxxxx ~]# nc localhost 25 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix EHLO localhost 250-xxxxxxx.xxxx.xxx.xx 250-PIPELINING 250-SIZE 41943040 250-VRFY 250-ETRN 250-STARTTLS 250-AUTH PLAIN LOGIN 250-AUTH=PLAIN

...       -       -       smtpd   -o content_filter=spamassassin dnsblog   unix  -       -       -       -       0       dnsblog tlsproxy  unix  -       -       -       -       0       tlsproxy submission inet n       -       -       -       -       smtpd   -o syslog_name=postfix/submission   -o smtpd_tls_security_level=encrypt   -o smtpd_sasl_auth_enable=yes   -o content_filter=spamassassin   -o smtpd_client_restrictions=permit_sasl_authenticated,reject   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject   -o milter_macro_daemon_name=ORIGINATING smtps     inet  n       -       -       -       -  ...

...ost.localdomain, xyz.com , localhost mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all inet_protocols = all smtpd_sasl_type = dovecot smtpd_sasl_auth_enable = yes smtp_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_tls_security_level = may ---------------------------------- master.cf smtp inet n - y - - smtpd submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_au...

...spamassassin > > dnsblog   unix  -       -       -       -       0       dnsblog > > tlsproxy  unix  -       -       -       -       0       tlsproxy > > submission inet n       -       -       -       -       smtpd > >   -o syslog_name=postfix/submission > >   -o smtpd_tls_security_level=encrypt > >   -o smtpd_sasl_auth_enable=yes > >   -o content_filter=spamassassin > >   -o smtpd_client_restrictions=permit_sasl_authenticated,reject > >   -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > >   -o milter_macro_daemon_name=ORIGINATING &g...

Hi Is it possible to secure the Dovecot SASL auth provider for postfix? https://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL I'm currently using the inet option to provide SASL auth to postfix for dovecot. Both installs are on different hosts hence the use of inet rather than unix socket. I'm looking for the best way to secure this channel (rather than just assuming the VLAN is secure

...0/8> [::ffff:127.0.0.0]/104 > [::1]/128 > mailbox_size_limit = 0 > recipient_delimiter = + > inet_interfaces = all > inet_protocols = all > > smtpd_sasl_type = dovecot > smtpd_sasl_auth_enable = yes > smtp_sasl_auth_enable = yes > broken_sasl_auth_clients = yes > smtpd_tls_security_level = may > ---------------------------------- > > master.cf <http://master.cf> > smtp ? ? ?inet ?n ? ? ? - ? ? ? y ? ? ? - ? ? ? - ? ? ? smtpd > submission inet n ? ? ? - ? ? ? y ? ? ? - ? ? ? - ? ? ? smtpd > ? -o syslog_name=postfix/submission > ? -o smtpd_tls_security_leve...

One of my accounts was having login failures when trying to send mail, but was able to check mail. I tried everything I could think of to see what the issue might be, but eventually went in and reset the password in the sql database (I knew the password, so I reset it to the same password). {SHA256-CRYPT}$5$VuS? {SHA256-CRYPT}$5$VI7? So the password was updated properly. Clients can still

...ion smtpd_sasl_auth_enable = yes smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous smtpd_sasl_type = dovecot smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/pki/tls/certs/mail_the10thfloor_com.crt smtpd_tls_key_file = /etc/pki/tls/private/mail_the10thfloor_com-nopass.key smtpd_tls_security_level = may soft_bounce = no tls_random_source = dev:/dev/urandom unknown_local_recipient_reject_code = 550 virtual_gid_maps = static:502 virtual_mailbox_base = /home/vmail/ virtual_mailbox_domains = the10thfloor.com virtual_mailbox_maps = hash:/etc/postfix/vmailbox virtual_uid_maps = static:502

...reject_sender_login_mismatch, permit_sasl_authenticated, reject_unknown_helo_hostname, reject_unknown_recipient_domain, reject_unknown_sender_domain smtpd_tls_cert_file = /etc/ssl/server/servername.pem smtpd_tls_key_file = $smtpd_tls_cert_file smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may unknown_local_recipient_reject_code = 550 virtual_alias_maps = mysql:/etc/postfix/mysql-virtual_alias_maps.cf virtual_gid_maps = static:2000 virtual_mailbox_base = /var/customers/mail/ virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual_mailbox_domains.cf virtual_mailbox_limit = 0 virt...

...ous smtpd_sasl_type = dovecot smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining, reject_unauth_destination smtpd_timeout = 30 smtpd_tls_cert_file = /etc/postfix/ssl/wildcard.domain.com.crt smtpd_tls_key_file = /etc/postfix/ssl/wildcard.domain.com.key smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache transport_maps = mysql:/etc/postfix/mysql_transport.cf vacation_destination_recipient_limit = 1 virtual_alias_maps = mysql:/etc/postfix/mysql_virtual_alias_maps.cf virtual_gid_maps = static:125 virtual_mailbox_base = /var...

...rus smtpd_timeout = 10s smtpd_tls_CAfile = /etc/pki/tls/certs/mailcampaign_csusb_edu_interm.cer smtpd_tls_cert_file = /etc/pki/tls/certs/mailcampaign_csusb_edu_cert.cer smtpd_tls_key_file = /etc/pki/tls/private/mailcampaign_csusb_edu.key smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 10800s smtpd_use_tls = yes transport_maps = hash:/etc/postfix/transport turtle_destination_concurrency_limit = 1 turtle_destination_rate_delay = 3s turtle_destination_recipient_limi...

...uid_maps = static:400 master.cf (via 'postconf -Mf'): smtp inet n - n - - smtpd 24 inet n - n - - smtpd submission inet n - n - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,permit_mynetworks,reject -o milter_macro_daemon_name=ORIGINATING smtps inet n - n - -...

...oc/postfix/samples sendmail_path = /usr/sbin/sendmail.postfix setgid_group = postdrop smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtpd_sasl_auth_enable = yes smtpd_tls_auth_only = yes smtpd_tls_key_file = /etc/pki/dovecot/certs/tgv2015.crt smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache smtpd_use_tls = yes unknown_local_recipient_reject_code = 550 virtual_mailbox_base = /var/mail/vhosts virtual_mailbox_domains = <my-domain> virtual_transport = lmtp:unix:private/dovecot-lmtp

...yes smtpd_sasl_path = private/auth smtpd_sasl_type = dovecot smtpd_starttls_timeout = 20s smtpd_tls_cert_file = /usr/local/etc/dehydrated/certs/covisp.net/fullchain.pem smtpd_tls_key_file = /usr/local/etc/dehydrated/certs/covisp.net/privkey.pem smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may 16 -rw------- 1 root 443 4152 May 20 21:08 fullchain-1558408117.pem 0 lrwx------ 1 root 443 24 May 20 21:08 fullchain.pem -> fullchain-1558408117.pem 8 -rw------- 1 root 443 3243 May 20 21:08 privkey-1558408117.pem 0 lrwx------ 1 root 443 22 May 20 21:08 privkey.pem ->...

...19, at 5:23 PM, @lbutlr <kremels at kreme.com> wrote: > Postfix logs "Client host rejected: Access denied? but as I said, other accounts can submit and there?s nothing special in the submission service in master.cf. submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_sasl_type=dovecot -o smtpd_sasl_security_options=noanonymous -o smtpd_sasl_path=private/auth -o smtpd_milters= -o milter_connect_macros= -o milter_macro_daemon_name=ORIGINATING -o syslog_name=postfix/submit -o smtpd_client_re...

On 27/09/17 20:35, Thomas Bauer wrote: > service auth { > inet_listener{ > address=192.0.0.1 > port=10001 > ssl=yes > } > } ssl=yes is not documented to work for the auth service and it's highly likely that it is simply ignored. > -o smtpd_tls_security_level=encrypt This definitely does not do what you think it does. This setting is for the smtpd server, not the SASL client. It will enforce TLS between the MUA (email client) and postfix. It does not affect the connection between postfix and the dovecot SASL server at all. The only way to encrypt t...

...der_login_mismatch,check_client_access hash:/etc/postfix/client_access smtpd_tls_CAfile = /etc/postfix/cert/cacert.pem smtpd_tls_auth_only = yes smtpd_tls_cert_file = /etc/postfix/cert/smtpd.crt smtpd_tls_key_file = /etc/postfix/cert/smtpd.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes tls_random_source = dev:/dev/urandom transport_maps = hash:/etc/postfix/transport unknown_local_recipient_reject_code = 550 And here's the dovecot: Version: [root at mail ~]# dovecot --version 2.0.9 Config: [root at mail ~]#...

...nknown_client?????????? = false reject_unknown_hostname???????? = false mailbox_command = /usr/local/libexec/dovecot/deliver -f "$SENDER" -a "$RECIPIENT" [root] # vi master.cf smtp????? inet? n?????? -?????? n?????? -?????? -?????? smtpd submission inet n - - - - smtpd -D ? -o smtpd_tls_security_level=encrypt ? -o smtpd_sasl_auth_enable=yes ? -o smtpd_sasl_type=dovecot ? -o smtpd_sasl_path=private/auth ? -o smtpd_sasl_security_options=noanonymous ? -o smtpd_sasl_local_domain=$myhostname ? -o smtpd_client_restrictions=permit_sasl_authenticated,reject ? -o smtpd_sender_login_maps=hash:/etc/postfix...

> That's a permission error. Somewhere in your directory hierarchy things > are off. See Postfix' set-permissions command. > But surely if Dovecot is staring as root then directory permissions are relevant, especially if I'm then asking the config to chmod the file anway ? To me, it seems dovecot is not behaving correctly, because if it is not using root to access the

...tl = 30d postscreen_pipelining_action = enforce postscreen_pipelining_enable = no postscreen_pipelining_ttl = 30d postscreen_post_queue_limit = $default_process_limit postscreen_pre_queue_limit = $default_process_limit postscreen_reject_footer = $smtpd_reject_footer postscreen_tls_security_level = $smtpd_tls_security_level postscreen_use_tls = $smtpd_use_tls postscreen_watchdog_timeout = 10s postscreen_whitelist_interfaces = static:all prepend_delivered_header = command, file, forward process_id_directory = pid propagate_unmatched_extensions = canonical, virtual proxy_interfaces = proxy_read_maps = $local_recipient_m...