postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: RE: Need help with SALS and TLS

RE: Need help with SALS and TLS

From: Kory Hamzeh <kory_at_nospam>
Date: Thu Oct 28 2010 - 23:26:01 GMT
To: <postfix-users@postfix.org>

> > My TLS setup is a bigger mess. The maillog tells me that a SSL
> session has
> > been established, but then the connection seems to get cleared by the
> client
> > (Droid). I've looked at many Postfix TLS How-to's, and some of them
> seem to
> > contradict the other.
>
> Again: "postconf -n".

OK, thanks for the reply. Couple of updates:

1. It's SASL, not SALS -- sorry, it had been a long 16 hour day with 8 hours
on the road driving.

2. I did get SASL working perfectly -- at some point I had accidently
commented out the "permit_sasl_authenticated".

3. I have TLS working with name/pass auth, on port 587 if the client
UNCHECKS "Use SSL". For some reason that I don't understand, if the client
has "Use SSL" enabled, it disconnects the TCP connection as soon as a SSL
session is established. My main concern is that the client/server connection
is safe and encrypted. It appears to be even with the SSL option not
selected by the client. I used tcpdump to snoop the connection. I see the
EHLO and STARTTLS message being sent in the clear, but the rest of the data
for the duration of the connection is encrypted. The log messages in
/var/log/maillog indicates that encryption is being used. I suspect the "Use
SSL" option on the client doesn't mean encrypt the connection but rather it
means "verify certificate" (I have a self signed certificate).

My main question at this point: is my SASL and TLS setup secure (encrypted)
with my current configuration below?

Here is the output of "postconf -n" (log output is below that):

alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
body_checks = pcre:/etc/postfix/body_checks broken_sasl_auth_clients = yes
command_directory = /usr/sbin config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix debug_peer_level = 2
disable_vrfy_command = yes header_checks = pcre:/etc/postfix/header_checks
html_directory = no mail_owner = postfix mailbox_size_limit = 1000000000
mailq_path = /usr/bin/mailq.postfix manpage_directory = /usr/share/man
message_size_limit = 25000000
mydestination = $myhostname, localhost.$mydomain, $mydomain,
mail.$mydomain, www.$mydomain, ftp.$mydomain, metaphysical-store.com,
www.metaphysical-store.com, oamcs.metaphysical-store.com,
metaphysicalstore.com, www.metaphysicalstore.com, oamcs.com,
www.oamcs.com, korzell.com, korzells.com, agasha.org, www.agasha.org,
ahsaga12.com, www.ahsaga12.com connectforpeace.org www.connectforpeace.org
avatartools.com www.avatartools.com avatarroad.com www.avatarroad.com
mynetworks = 199.33.206.0/24,127.0.0.1/32 myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix queue_directory =
/var/spool/postfix recipient_delimiter = + sendmail_path =
/usr/sbin/sendmail.postfix setgid_group = postdrop
smtp_sasl_security_options = noanonymous, noplaintext
smtp_sasl_tls_security_options = noanonymous smtp_tls_note_starttls_offer =
yes smtp_use_tls = yes smtpd_client_connection_count_limit = 5
smtpd_client_connection_rate_limit = 10 smtpd_client_message_rate_limit = 20
smtpd_client_recipient_rate_limit = 20 smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination,
check_sender_access hash:/etc/postfix/sender_access_ok, check_client_access
hash:/etc/postfix/client_access_ok, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_unknown_recipient_domain,
reject_unknown_sender_domain, reject_unauth_pipelining,
check_recipient_access pcre:/etc/postfix/recipient_access_regexp_rej,
reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org,
permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file =
/etc/postfix/ssl/smtpd.key smtpd_tls_loglevel = 2 smtpd_tls_received_header
= yes smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes
strict_rfc821_envelopes = yes swap_bangpath = no tls_random_source =
dev:/dev/urandom unknown_address_reject_code = 554
unknown_client_reject_code = 554 unknown_hostname_reject_code = 554
unknown_local_recipient_reject_code = 550

I have included log entries from 2 different connects. The first one is from
a droid 2 phone, usaing name/pass authenticate, port 587, but SSL NOT
selected. This works fine:

Oct 27 16:22:29 ns postfix/smtpd[15850]: initializing the server-side TLS
engine
Oct 27 16:22:30 ns postfix/smtpd[15850]: connect from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:22:30 ns postfix/smtpd[15850]: setting up TLS connection from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:22:30 ns postfix/smtpd[15850]:
108.sub-97-48-178.myvzw.com[97.48.178.108]: TLS cipher list
"ALL:!EXPORT:!LOW:+RC4:@STRENGTH"
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:before/accept
initialization
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 read client hello
B
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write server hello
A
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write certificate
A
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write key exchange
A
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write server done
A
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 flush data
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 read client key
exchange A
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 read finished A
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write change
cipher spec A
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 write finished A
Oct 27 16:22:30 ns postfix/smtpd[15850]: SSL_accept:SSLv3 flush data
Oct 27 16:22:30 ns postfix/smtpd[15850]: Anonymous TLS connection
established from 108.sub-97-48-178.myvzw.com[97.48.178.108]: TLSv1 with
cipher DHE-RSA-AES256-SHA (256/256 bits)
Oct 27 16:22:31 ns postfix/smtpd[15850]: C3486AC4001:
client=108.sub-97-48-178.myvzw.com[97.48.178.108], sasl_method=PLAIN,
sasl_username=kory
Oct 27 16:22:32 ns postfix/cleanup[15855]: C3486AC4001:
message-id=<b74522da-1ea8-4494-be2c-cd9517d92ec6@blur>
Oct 27 16:22:32 ns postfix/qmgr[9043]: C3486AC4001: from=<kory@avatar.com>,
size=1238, nrcpt=1 (queue active)
Oct 27 16:22:32 ns postfix/smtpd[15850]: disconnect from
108.sub-97-48-178.myvzw.com[97.48.178.108]

Failed log entry, same as before but SSL enabled on the phone (client):

Oct 27 16:47:30 ns postfix/smtpd[16395]: initializing the server-side TLS
engine Oct 27 16:47:30 ns postfix/smtpd[16395]: connect from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:47:31 ns postfix/smtpd[16395]: lost connection after UNKNOWN from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:47:31 ns postfix/smtpd[16395]: disconnect from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:47:36 ns postfix/smtpd[16395]: connect from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:47:36 ns postfix/smtpd[16395]: lost connection after UNKNOWN from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:47:36 ns postfix/smtpd[16395]: disconnect from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:47:42 ns postfix/smtpd[16395]: connect from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:47:42 ns postfix/smtpd[16395]: lost connection after UNKNOWN from
108.sub-97-48-178.myvzw.com[97.48.178.108]
Oct 27 16:47:42 ns postfix/smtpd[16395]: disconnect from
108.sub-97-48-178.myvzw.com[97.48.178.108]

Any help would be grealy appreciated!

Kory