Sandy Drobic wrote:
Just a little question. In your config below I see two possibilities to authenticate: either by using conventional user/pass or by using a client certificate.
Which one are you trying to implement?
Hadn't realised there were two here. I'd like the most secure and least likely to allow someone else access to my server! (BTW I'm using Courier IMAP having set most of this up by working through 'Linux Email' by several authors including Patrick Koetter. My TLS certificate was built based on Chapter 13 of Kyle Dent's O'Reilly publication, 'Postfix - the definitive guide. It wouldn't surprise me if I've gotten into a muddle trying to work between these books and the readme files with Postfix itself!)
Did you test both of them?
postconf output follows: broken_sasl_auth_clients = yes mynetworks = 127.0.0.0/8, 192.168.74.0/24, 192.168.80.0/24, 10.0.0.0/24 relay_clientcerts = hash:/etc/postfix/relay_ccerts smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, permit_tls_clientcerts, reject_unauth_destination smtpd_sasl_application_name = smtpd smtpd_sasl_auth_enable = no
Er, hello?!? If you want to use smtp auth you need to set this to "yes"!
smtpd_sasl_auth_enable = yes
Er yes! - see below
smtpd_sasl_local_domain = smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous smtpd_tls_CAfile = /Certificates/ssl/Authority/CA.crt smtpd_tls_ask_ccert = yes smtpd_tls_auth_only = yes smtpd_tls_cert_file = /Certificates/ssl/Certificate/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_key_file = /Certificates/ssl/Key/PostOffice.DMJ-Consultancy.me.uk.unc smtpd_tls_loglevel = 0 smtpd_tls_received_header = yes smtpd_tls_req_ccert = yes smtpd_use_tls = yes
The rest looks fine. If you are trying to use client certs, did you put the client cert on your phone? I don't remember seeing a line in the tls log where the client (your phone) is presenting a client certificate.
The phone has a PKCS12 format key and trusted certificate, the fingerprint of which is the only entry in relay_ccerts alongside my forename as user. This key-and-relay_ccerts-fingerprint set was generated by openssl but I'm hesitant about posting a key on this list.
If you can't get saslfinger to work, please show the output of the last line of this command (the capabilities of your server after a tls connection has been established and the ehlo command is invoked.
openssl s_client -starttls smtp -connect localhost:25
see below (sensitive info cut - hopefully!)
ehlo localhost
Please also post the content of /usr/lib/sasl2/smtpd.conf.
pwcheck_method: saslauthd log_level: 3 mech_list: PLAIN LOGIN
If you are trying to use client certificates for authentication please also post the content of /etc/postfix/relay_ccerts and verify that it is indeed the fingerprint of your client certificate.
depth=1 /C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk i:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk 1 s:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk i:/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk --- Server certificate -----BEGIN CERTIFICATE----- MIIDVDCCAr2gAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBozELMAkGA1UEBhMCVUsx ....................................... qIRGNhhaclu7lwdDEtpNP2skqcz5VLVVcgwb3eM4TJ01yXFx8ZD8Pw== -----END CERTIFICATE----- subject=/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=PostOffice.DMJ-Consultancy.me.uk/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk issuer=/C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk --- Acceptable client certificate CA names /C=UK/ST=H?/L=P?/O=DMJ Consultancy/CN=DMJ-Consultancy/emailAddress=CertificateMaster@DMJ-Consultancy.co.uk --- SSL handshake has read 2500 bytes and written 383 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-A?6-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-A?6-SHA Session-ID: 8872A2FA0F712B2BC2CFA301BE17D648944093293F266D209236F36579B2718D Session-ID-ctx: Master-Key: 8D133580FA......................................345B932674871F1 Key-Arg : None Start Time: 1190157431 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- 250-General.DMJ-Consultancy.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250-STARTTLS 250 8BITMIME ehlo localhost 250-General.DMJ-Consultancy.local 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-ETRN 250 8BITMIME 500 Error: bad syntax Above was with smtpd_sasl_auth_enable = no Setting it to yes and reloading gives read:errno=32 to the openssl command above -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org