Postfix - howto use smtp auth for external client but not for localhost
Does anyone know how (or if) it is possible to instruct postfix to accept unencrypted (non-TLS) connections from localhost, while at the same time insisting on a TLS-secured connection from other computers?
I couldn't find any hint on how to do that in the postfix docs or on the web:( So here is the prob: Sending mail via a TLS secured connection from my local mail client (thunderbird) via a postfix server on the internet works fine. Now I also want to send mail using a webmail client (squirrelmail) on the very same server. However I do not want to use encrypted communication when operating on the server itself (so from localhost) as that does increase serverload but not security. (I consider the loopback as safe;) So does anyone know how (or if) it is possible to instruct postfix to accept unencrypted (non-TLS) connections from localhost, while at the same time insisting on a TLS-secured connection from other computers? Any hint is welcome. Thank you in advance:) |
Here are two examples. The syntax/semantics is postfix-2.3.
Example 1: The only computers allowed to relay are those on the LAN which establish an encrypted connection. Code:
mynetworks_style = subnet authentication is only allowed through an encrypted connection. Code:
mynetworks_style = host |
Thanks so far:)
but the Problem I try to solve is how to allow UNENCRYPTED connections from LOCALHOST while AT THE SAME TIME forcing connections from authenticated external clients to use an (TLS) ENCRYPTED connection;) So right now my config (also postfix 2.3 by the way) resembles the second example and does not allow for unencrypted connections from localhost:( |
Seems to me the second example does everything that you want. What's the problem?
In case it wasn't clear, the following is an elaboration on Example 2: Code:
mynetworks_style = host |
@Berhanie: Thank you again for your answer :)
In fact I hope you are right and I just don't (yet;) see how this could be the solution. And here is why: The problem stems from Code:
smtpd_tls_auth_only = yes HOWEVER, this is exactely the line that keeps the users on the box itself (localhost) from beeing able to use an UNENCRYPTED connection. So that is what I need: 1.) external clients = force use of TLS 2.) (at the samt time) localhost = do not use TLS at all However "smtpd_tls_auth_only = yes" forces users on localhost to use TLS as well (an thus creating unnecessary load on the server by encrypting the loopback connection :tisk: ) :cry: |
"smtpd_tls_auth_only = yes" only tells postfix to announce AUTH after TLS has been established. It does not enforce TLS. The strategy is to enforce authentication, which we do through smtpd_recipient_restrictions. Notice that localhost is exempt from having to authenticate since mynetworks is listed first in smtpd_recipient_restrictions. But you might have some other restriction somewhere in your main.cf giving us problems. Please post the output of "postconf -n".
|
Ah great, so I got it wrong and a solution is in sight. Thanks a lot, Berhanie :)
In fact I didn't know that position matters in smtpd_recipient_restrictions However, I put mynetworks first but that didn't work for me. Localhost still seems to want encrypted communication. The output of "telnet localhost smtp" ehlo localhost is: 250-myserver.com 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 DSN Here is my result of postconf -n (I changed the entries in <> for security reasons) Code:
alias_maps = hash:/etc/aliases :) |
Quote:
Quote:
Since you also want authentication without encryption enabled, you cannot use "smtpd_tls_auth_only = yes" anymore. Here's what your main.cf might look like for your new requirements to work: Code:
#being strict on mynetworks isn't important for this setup, but: Code:
# connections from 127.x.x.x must authenticate 1. The reject isn't necessary in the access_client table, but it does tell the client that the rejection occurred because of an access table restriction. 2. smtpd_recipient_restrictions applies only to smtp connections. Local users can still submit mail through postdrop and be free from any restriction. Read the documentation to learn how to restrict that. Finally don't forget to postmap the access_client table. |
@Berhanie: thanks a lot for your help and pls excuse that I didn't mention before that I also want the users on localhost to authenticate.
Concerning your solution. I gave it a try, changed main.cf accordingly, created access_client, postmaped it, reloaded postfix but it didn't work out for me:( Problem is, if I disable smtpd_tls_auth_only = yes my external client can authenticate via an unencrypted (non-TLS) connection. Which part in your suggested config ensures that external users have to use TLS (and AUTH)? If the use of TLS is not mandatory, squirrelmail 1.4.9a (authenticated users sending mail from localhost) works. But that used to work before whenever I didn't enforce the use of TLS... I would be glad if you could answer my question above. If you have any further suggestions they are welcome. If not I can't blame you. I am lost the hope to get this working myself:( Anyway pls. answer the bold typed wuestion above. Perhaps I can hunt down the prob with that information. btw. in my log I found the following warning: unknown smtpd restriction: "reject_plaintext_session" I tried without it. Didn't work either. |
Oh btw. to authenticate I use LOGIN (so plaintext)
IMHO its OK to use an unencrypted/insecure plaintext mechanism within a secure/encrypted connection (TLS) |
Hi, rahmmandel.
Quote:
Code:
postconf mail_version Quote:
|
Postfix reports the version to be 2.3-20051106
However this piece of software is giving me a hell of a hard time. In the docs (http://www.postfix.org/TLS_README.html) for example it says that "smtpd_tls_security_level = may" (Postfix 2.3 and later) is an equivalent to "smtpd_use_tls = yes" (which is obsolete but still supported). However, if I substitute "smtpd_use_tls = yes" for "smtpd_tls_security_level = may" an external client gets the message that the server does not offer STARTTLS in its EHLO response. Man, if that postfix thing is not starting to behave soon, I'll leave it for qmail;) |
I think you're using an old development (experimental and not fully-functional) version of 2.3, i.e. you're not using 2.3. You should use the stable version, now postfix-2.3.8. There was a lot of work done in the way of TLS between postfix-2.2 and postfix-2.3, so it's not suprising your problems involve TLS. Apart from that, there's also a possibility you had a syntactic error in main.cf (I hope you entered the parameters exactly as I posted them, paying attention to spaces signifying continuation lines: spaces in the beginning of a line which continues a previous line).
|
@Berhanie: yes I did not have any typos in my config;) Anyways you are probably right, I should update and try again. Anyway that webmailing thing is a pretty low priority project, so it will have to wait a couple of days. If things don't work out I may succeed in contacting you again. It would be great if you would stay subscribed to this thread.
But in any case I would like to thank you very much for your help so far :) And of course for hanging in with me until today :)) |
It's been my pleasure, rahmmandel. I hope to see you around again. Good luck with your project.
(I'm subscribed: posting to a thread causes automatic subscription.) |
All times are GMT -5. The time now is 07:44 AM. |