Postfix - howto use smtp auth for external client but not for localhost
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Postfix - howto use smtp auth for external client but not for localhost
Does anyone know how (or if) it is possible to instruct postfix to accept unencrypted (non-TLS) connections from localhost, while at the same time insisting on a TLS-secured connection from other computers?
I couldn't find any hint on how to do that in the postfix docs or on the web
So here is the prob:
Sending mail via a TLS secured connection from my local mail client (thunderbird) via a postfix server on the internet works fine.
Now I also want to send mail using a webmail client (squirrelmail) on the very same server.
However I do not want to use encrypted communication when operating on the server itself (so from localhost) as that does increase serverload but not security. (I consider the loopback as safe
So does anyone know how (or if) it is possible to instruct postfix to accept unencrypted (non-TLS) connections from localhost, while at the same time insisting on a TLS-secured connection from other computers?
Thanks so far
but the Problem I try to solve is how to allow UNENCRYPTED connections from LOCALHOST while AT THE SAME TIME forcing connections from authenticated external clients to use an (TLS) ENCRYPTED connection
So right now my config (also postfix 2.3 by the way) resembles the second example and does not allow for unencrypted connections from localhost
@Berhanie: Thank you again for your answer
In fact I hope you are right and I just don't (yet see how this could be the solution.
And here is why:
The problem stems from
Code:
smtpd_tls_auth_only = yes
I also use that. And I want to use it, to force external clients to use an TLS-encrypted connection.
HOWEVER, this is exactely the line that keeps the users on the box itself (localhost) from beeing able to use an UNENCRYPTED connection.
So that is what I need:
1.) external clients = force use of TLS
2.) (at the samt time) localhost = do not use TLS at all
However "smtpd_tls_auth_only = yes" forces users on localhost to use TLS as well (an thus creating unnecessary load on the server by encrypting the loopback connection )
"smtpd_tls_auth_only = yes" only tells postfix to announce AUTH after TLS has been established. It does not enforce TLS. The strategy is to enforce authentication, which we do through smtpd_recipient_restrictions. Notice that localhost is exempt from having to authenticate since mynetworks is listed first in smtpd_recipient_restrictions. But you might have some other restriction somewhere in your main.cf giving us problems. Please post the output of "postconf -n".
Ah great, so I got it wrong and a solution is in sight. Thanks a lot, Berhanie
In fact I didn't know that position matters in smtpd_recipient_restrictions However, I put mynetworks first but that didn't work for me.
Localhost still seems to want encrypted communication.
@Berhanie: It would b egreat if you could tell me if there is something wrong with my main.cf and/or how to change it to force AUTH and ENCRYPTION to external users, while allowing users on localhost to connect UNENCRYPTED (while still forcing them to AUTH).
Last edited by rahmmandel; 03-12-2007 at 11:23 AM.
In fact I didn't know that position matters in smtpd_recipient_restrictions
There's your next assignment, then: read the documentation!
Quote:
...force AUTH and ENCRYPTION to external users, while allowing users on localhost to connect UNENCRYPTED (while still forcing them to AUTH).
That's slightly different, then. You really should have made clear that you wanted connections from localhost to authenticate.
Since you also want authentication without encryption enabled, you cannot use "smtpd_tls_auth_only = yes" anymore. Here's what your main.cf might look like for your new requirements to work:
Code:
#being strict on mynetworks isn't important for this setup, but:
mynetworks_style = host
# sasl
#
smtpd_sasl_auth_enable = yes
# tls
#
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /usr/local/etc/postfix/cert.pem
smtpd_tls_session_cache_database =
btree:/usr/local/etc/postfix/smtpd_tls_scache
smtpd_recipient_restrictions =
#allow anyone sending to us:
permit_auth_destination
#otherwise, allow authenticated connections from localhost
check_client_access hash:/usr/local/etc/postfix/access_client
#otherwise, demand both authentication and encryption:
reject_plaintext_session
permit_sasl_authenticated
reject
/usr/local/etc/postfix/access_client should look like this:
Code:
# connections from 127.x.x.x must authenticate
127 permit_sasl_authenticated, reject
Note:
1. The reject isn't necessary in the access_client table, but it does tell the client that the rejection occurred because of an access table restriction.
2. smtpd_recipient_restrictions applies only to smtp connections. Local users can still submit mail through postdrop and be free from any restriction. Read the documentation to learn how to restrict that.
Finally don't forget to postmap the access_client table.
@Berhanie: thanks a lot for your help and pls excuse that I didn't mention before that I also want the users on localhost to authenticate.
Concerning your solution. I gave it a try, changed main.cf accordingly, created access_client, postmaped it, reloaded postfix
but it didn't work out for me
Problem is, if I disable smtpd_tls_auth_only = yes
my external client can authenticate via an unencrypted (non-TLS) connection.
Which part in your suggested config ensures that external users have to use TLS (and AUTH)?
If the use of TLS is not mandatory, squirrelmail 1.4.9a (authenticated users sending mail from localhost) works. But that used to work before whenever I didn't enforce the use of TLS...
I would be glad if you could answer my question above. If you have any further suggestions they are welcome.
If not I can't blame you. I am lost the hope to get this working myself
Anyway pls. answer the bold typed wuestion above. Perhaps I can hunt down the prob with that information.
btw. in my log I found the following warning:
unknown smtpd restriction: "reject_plaintext_session"
I tried without it. Didn't work either.
Oh btw. to authenticate I use LOGIN (so plaintext)
IMHO its OK to use an unencrypted/insecure plaintext mechanism within a secure/encrypted connection (TLS)
That's the restriction that forces outside users to use encrypted sessions. Are you sure you're using postfix 2.3? That might be your problem. Check the output of
Code:
postconf mail_version
Quote:
IMHO its OK to use an unencrypted/insecure plaintext mechanism within a secure/encrypted connection
However this piece of software is giving me a hell of a hard time.
In the docs (http://www.postfix.org/TLS_README.html) for example it says that "smtpd_tls_security_level = may" (Postfix 2.3 and later) is an equivalent to "smtpd_use_tls = yes" (which is obsolete but still supported).
However, if I substitute
"smtpd_use_tls = yes"
for
"smtpd_tls_security_level = may"
an external client gets the message that the server does not offer STARTTLS in its EHLO response.
Man, if that postfix thing is not starting to behave soon, I'll leave it for qmail
I think you're using an old development (experimental and not fully-functional) version of 2.3, i.e. you're not using 2.3. You should use the stable version, now postfix-2.3.8. There was a lot of work done in the way of TLS between postfix-2.2 and postfix-2.3, so it's not suprising your problems involve TLS. Apart from that, there's also a possibility you had a syntactic error in main.cf (I hope you entered the parameters exactly as I posted them, paying attention to spaces signifying continuation lines: spaces in the beginning of a line which continues a previous line).
@Berhanie: yes I did not have any typos in my config Anyways you are probably right, I should update and try again. Anyway that webmailing thing is a pretty low priority project, so it will have to wait a couple of days. If things don't work out I may succeed in contacting you again. It would be great if you would stay subscribed to this thread.
But in any case I would like to thank you very much for your help so far
And of course for hanging in with me until today )
It's been my pleasure, rahmmandel. I hope to see you around again. Good luck with your project.
(I'm subscribed: posting to a thread causes automatic subscription.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.