Postfix - howto use smtp auth for external client but not for localhost
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Postfix - howto use smtp auth for external client but not for localhost
Does anyone know how (or if) it is possible to instruct postfix to accept unencrypted (non-TLS) connections from localhost, while at the same time insisting on a TLS-secured connection from other computers?
I couldn't find any hint on how to do that in the postfix docs or on the web
So here is the prob:
Sending mail via a TLS secured connection from my local mail client (thunderbird) via a postfix server on the internet works fine.
Now I also want to send mail using a webmail client (squirrelmail) on the very same server.
However I do not want to use encrypted communication when operating on the server itself (so from localhost) as that does increase serverload but not security. (I consider the loopback as safe
So does anyone know how (or if) it is possible to instruct postfix to accept unencrypted (non-TLS) connections from localhost, while at the same time insisting on a TLS-secured connection from other computers?
Thanks so far
but the Problem I try to solve is how to allow UNENCRYPTED connections from LOCALHOST while AT THE SAME TIME forcing connections from authenticated external clients to use an (TLS) ENCRYPTED connection
So right now my config (also postfix 2.3 by the way) resembles the second example and does not allow for unencrypted connections from localhost
@Berhanie: Thank you again for your answer
In fact I hope you are right and I just don't (yet see how this could be the solution.
And here is why:
The problem stems from
smtpd_tls_auth_only = yes
I also use that. And I want to use it, to force external clients to use an TLS-encrypted connection.
HOWEVER, this is exactely the line that keeps the users on the box itself (localhost) from beeing able to use an UNENCRYPTED connection.
So that is what I need:
1.) external clients = force use of TLS
2.) (at the samt time) localhost = do not use TLS at all
However "smtpd_tls_auth_only = yes" forces users on localhost to use TLS as well (an thus creating unnecessary load on the server by encrypting the loopback connection )
"smtpd_tls_auth_only = yes" only tells postfix to announce AUTH after TLS has been established. It does not enforce TLS. The strategy is to enforce authentication, which we do through smtpd_recipient_restrictions. Notice that localhost is exempt from having to authenticate since mynetworks is listed first in smtpd_recipient_restrictions. But you might have some other restriction somewhere in your main.cf giving us problems. Please post the output of "postconf -n".
@Berhanie: It would b egreat if you could tell me if there is something wrong with my main.cf and/or how to change it to force AUTH and ENCRYPTION to external users, while allowing users on localhost to connect UNENCRYPTED (while still forcing them to AUTH).
Last edited by rahmmandel; 03-12-2007 at 11:23 AM.
In fact I didn't know that position matters in smtpd_recipient_restrictions
There's your next assignment, then: read the documentation!
...force AUTH and ENCRYPTION to external users, while allowing users on localhost to connect UNENCRYPTED (while still forcing them to AUTH).
That's slightly different, then. You really should have made clear that you wanted connections from localhost to authenticate.
Since you also want authentication without encryption enabled, you cannot use "smtpd_tls_auth_only = yes" anymore. Here's what your main.cf might look like for your new requirements to work:
#being strict on mynetworks isn't important for this setup, but:
mynetworks_style = host
smtpd_sasl_auth_enable = yes
smtpd_tls_security_level = may
smtpd_tls_loglevel = 1
smtpd_tls_cert_file = /usr/local/etc/postfix/cert.pem
#allow anyone sending to us:
#otherwise, allow authenticated connections from localhost
#otherwise, demand both authentication and encryption:
/usr/local/etc/postfix/access_client should look like this:
# connections from 127.x.x.x must authenticate
127 permit_sasl_authenticated, reject
1. The reject isn't necessary in the access_client table, but it does tell the client that the rejection occurred because of an access table restriction.
2. smtpd_recipient_restrictions applies only to smtp connections. Local users can still submit mail through postdrop and be free from any restriction. Read the documentation to learn how to restrict that.
Finally don't forget to postmap the access_client table.
@Berhanie: thanks a lot for your help and pls excuse that I didn't mention before that I also want the users on localhost to authenticate.
Concerning your solution. I gave it a try, changed main.cf accordingly, created access_client, postmaped it, reloaded postfix
but it didn't work out for me
Problem is, if I disable smtpd_tls_auth_only = yes
my external client can authenticate via an unencrypted (non-TLS) connection.
Which part in your suggested config ensures that external users have to use TLS (and AUTH)?
If the use of TLS is not mandatory, squirrelmail 1.4.9a (authenticated users sending mail from localhost) works. But that used to work before whenever I didn't enforce the use of TLS...
I would be glad if you could answer my question above. If you have any further suggestions they are welcome.
If not I can't blame you. I am lost the hope to get this working myself
Anyway pls. answer the bold typed wuestion above. Perhaps I can hunt down the prob with that information.
btw. in my log I found the following warning:
unknown smtpd restriction: "reject_plaintext_session"
I tried without it. Didn't work either.
However this piece of software is giving me a hell of a hard time.
In the docs (http://www.postfix.org/TLS_README.html) for example it says that "smtpd_tls_security_level = may" (Postfix 2.3 and later) is an equivalent to "smtpd_use_tls = yes" (which is obsolete but still supported).
However, if I substitute
"smtpd_use_tls = yes"
"smtpd_tls_security_level = may"
an external client gets the message that the server does not offer STARTTLS in its EHLO response.
Man, if that postfix thing is not starting to behave soon, I'll leave it for qmail
I think you're using an old development (experimental and not fully-functional) version of 2.3, i.e. you're not using 2.3. You should use the stable version, now postfix-2.3.8. There was a lot of work done in the way of TLS between postfix-2.2 and postfix-2.3, so it's not suprising your problems involve TLS. Apart from that, there's also a possibility you had a syntactic error in main.cf (I hope you entered the parameters exactly as I posted them, paying attention to spaces signifying continuation lines: spaces in the beginning of a line which continues a previous line).
@Berhanie: yes I did not have any typos in my config Anyways you are probably right, I should update and try again. Anyway that webmailing thing is a pretty low priority project, so it will have to wait a couple of days. If things don't work out I may succeed in contacting you again. It would be great if you would stay subscribed to this thread.
But in any case I would like to thank you very much for your help so far
And of course for hanging in with me until today )