NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Authenticated Email (TLS?)

I think I'm making progress...  But still not working.

When I try to start a TLS session from the client (a 'droid phone), I get an error report from postfix.

         Out: 220 ESMTP Postfix
         In:  EHLO localhost
         Out: 250-PIPELINING
         Out: 250-SIZE 10240000
         Out: 250-ETRN
         Out: 250-STARTTLS
         Out: 250-8BITMIME
         Out: 250 DSN
         In:  STARTTLS
         Out: 454 4.7.0 TLS not available due to local problem
         Out: 421 4.4.2 Error: timeout exceeded

In my /var/log/maillog I get

        Nov  6 13:35:29 screamer postfix/smtpd[25338]: warning: No server certs 
available. TLS won't be enabled
        Nov  6 13:35:29 screamer postfix/smtpd[25338]: connect from 
        Nov  6 13:40:30 screamer postfix/smtpd[25338]: timeout after STARTTLS 
from wifi[]
        Nov  6 13:40:30 screamer postfix/smtpd[25338]: disconnect from 

My dovecot config looks like this:

        {248} dovecot -n
        # 2.0.13: /usr/pkg/etc/dovecot/dovecot.conf
        # OS: NetBSD 5.99.55 amd64
        auth_mechanisms = plain login
        listen = *
        passdb {
          driver = passwd
        protocols =
        service auth {
          unix_listener /var/spool/postfix/private/auth {
            group = postfix
            mode = 0660
            user = postfix
        ssl_cert = /etc/openssl/certs/dovecot.pem
        ssl_key = /etc/openssl/private/dovecot.pem
        userdb {
          driver = passwd

I used the script to create a self-signed certificate, and placed it in the /etc/openssl/{certs,private}/dovecot.pem as specified in the configuration.

And finally, my postfix config has been modified to include

        submission inet n - n - - smtpd
          -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_sasl_type=dovecot
          -o smtpd_sasl_path=private/auth
          -o smtpd_sasl_security_options=noanonymous
          -o smtpd_sasl_local_domain=$mydomain
          -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          -o smtpd_sender_restrictions=reject_sender_login_mismatch

I'm obviously missing something, but would appreciate any clues on how to make it find and use the certs.

On Sun, 6 Nov 2011, Matthias Scheler wrote:

On Sun, Nov 06, 2011 at 07:26:33AM -0800, Paul Goyette wrote:
 I think that all I need is to get the mail/dovecot package

You should really use the "mail/dovecot2" package.

Yes, I have installed dovecot2.0.13nb2 from pkgsrc


installed and running (plus some changes to postfix
configuration), > but the instructions are rather lengthy and

Which instructions did you look at? The instructions in the
Dovecot Wiki are IMHO quite simple:

I was reading the /usr/share/examples/postfix/SASL_README

That's a bit too generic.

The above WiKi is certainly helpful for getting postfix set up, but
I guess I need more help just getting dovecot itself configured and
running.  I'll see if I can navigate the Dovecot Wiki ...

No, that page explains pretty much everything. Here is the full
"dovecot.conf" that I'm using:

        auth_mechanisms = cram-md5 digest-md5 plain login
        listen = *, [::]
        #mail_debug = yes
        mail_location = mbox:~/Mail:INBOX=/var/mail/%u
        passdb {
          args = /etc/pkg/dovecot/passwd
          driver = passwd-file
        pop3_uidl_format = %08Xv%08Xu
        protocols = imap pop3
        service auth {
          unix_listener /var/spool/postfix/private/auth {
            group = postfix
            mode = 0660
            user = postfix
        ssl = yes
        ssl_cert = </etc/openssl/certs/dovecot.pem
        ssl_key = </etc/openssl/private/dovecot.pem
        userdb {
          driver = passwd

This is good enough to get SMTP auth, POP3(S) and IMAP(S) working.
I use a separate password file which is necessary for challenge
response authentication method like CRAM-MD5. It also has the
advantage that I can have accounts with a valid shell (for pipe
mailer usage) which still cannot login via SSH as the account
is locked in "master.passwd".

        Kind regards

Matthias Scheler                        


| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:       |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at    |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at |
| Kernel Developer |                          | pgoyette at  |

Home | Main Index | Thread Index | Old Index