Re: Authenticated Email (TLS?)

To: Matthias Scheler <tron%zhadum.org.uk@localhost>
Subject: Re: Authenticated Email (TLS?)
From: Paul Goyette <paul%whooppee.com@localhost>
Date: Sun, 6 Nov 2011 14:07:01 -0800 (PST)

I think I'm making progress...  But still not working.

When I try to start a TLS session from the client (a 'droid phone), Iget an error report from postfix.


         Out: 220 screamer.whooppee.com ESMTP Postfix
         In:  EHLO localhost
         Out: 250-screamer.whooppee.com
         Out: 250-PIPELINING
         Out: 250-SIZE 10240000
         Out: 250-ETRN
         Out: 250-STARTTLS
         Out: 250-ENHANCEDSTATUSCODES
         Out: 250-8BITMIME
         Out: 250 DSN
         In:  STARTTLS
         Out: 454 4.7.0 TLS not available due to local problem
         Out: 421 4.4.2 screamer.whooppee.com Error: timeout exceeded

In my /var/log/maillog I get

        Nov  6 13:35:29 screamer postfix/smtpd[25338]: warning: No server certs 
available. TLS won't be enabled
        Nov  6 13:35:29 screamer postfix/smtpd[25338]: connect from 
wifi[66.92.186.139]
        ...
        Nov  6 13:40:30 screamer postfix/smtpd[25338]: timeout after STARTTLS 
from wifi[66.92.186.139]
        Nov  6 13:40:30 screamer postfix/smtpd[25338]: disconnect from 
wifi[66.92.186.139]

My dovecot config looks like this:

        {248} dovecot -n
        # 2.0.13: /usr/pkg/etc/dovecot/dovecot.conf
        # OS: NetBSD 5.99.55 amd64
        auth_mechanisms = plain login
        listen = *
        passdb {
          driver = passwd
        }
        protocols =
        service auth {
          unix_listener /var/spool/postfix/private/auth {
            group = postfix
            mode = 0660
            user = postfix
          }
        }
        ssl_cert = /etc/openssl/certs/dovecot.pem
        ssl_key = /etc/openssl/private/dovecot.pem
        userdb {
          driver = passwd
        }

I used the mkcert.sh script to create a self-signed certificate, andplaced it in the /etc/openssl/{certs,private}/dovecot.pem as specifiedin the configuration.


And finally, my postfix config has been modified to include

        submission inet n - n - - smtpd
          -o smtpd_tls_security_level=encrypt
          -o smtpd_sasl_auth_enable=yes
          -o smtpd_sasl_type=dovecot
          -o smtpd_sasl_path=private/auth
          -o smtpd_sasl_security_options=noanonymous
          -o smtpd_sasl_local_domain=$mydomain
          -o smtpd_client_restrictions=permit_sasl_authenticated,reject
          -o smtpd_sender_restrictions=reject_sender_login_mismatch
          -o 
smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject

I'm obviously missing something, but would appreciate any clues on howto make it find and use the certs.




On Sun, 6 Nov 2011, Matthias Scheler wrote:

On Sun, Nov 06, 2011 at 07:26:33AM -0800, Paul Goyette wrote:

 I think that all I need is to get the mail/dovecot package


You should really use the "mail/dovecot2" package.


Yes, I have installed dovecot2.0.13nb2 from pkgsrc


Good.

installed and running (plus some changes to postfix

configuration), > but the instructions are rather lengthy and
intimidating.

Which instructions did you look at? The instructions in the
Dovecot Wiki are IMHO quite simple:

http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL


I was reading the /usr/share/examples/postfix/SASL_README


That's a bit too generic.

The above WiKi is certainly helpful for getting postfix set up, but
I guess I need more help just getting dovecot itself configured and
running.  I'll see if I can navigate the Dovecot Wiki ...


No, that page explains pretty much everything. Here is the full
"dovecot.conf" that I'm using:

        auth_mechanisms = cram-md5 digest-md5 plain login
        listen = *, [::]
        #mail_debug = yes
        mail_location = mbox:~/Mail:INBOX=/var/mail/%u
        passdb {
          args = /etc/pkg/dovecot/passwd
          driver = passwd-file
        }
        pop3_uidl_format = %08Xv%08Xu
        protocols = imap pop3
        service auth {
          unix_listener /var/spool/postfix/private/auth {
            group = postfix
            mode = 0660
            user = postfix
          }
        }
        ssl = yes
        ssl_cert = </etc/openssl/certs/dovecot.pem
        ssl_key = </etc/openssl/private/dovecot.pem
        userdb {
          driver = passwd
        }

This is good enough to get SMTP auth, POP3(S) and IMAP(S) working.
I use a separate password file which is necessary for challenge
response authentication method like CRAM-MD5. It also has the
advantage that I can have accounts with a valid shell (for pipe
mailer usage) which still cannot login via SSH as the account
is locked in "master.passwd".

        Kind regards

--
Matthias Scheler                                  http://zhadum.org.uk/

!DSPAM:4eb6b56d1962121711234!


-------------------------------------------------------------------------
| Paul Goyette     | PGP Key fingerprint:     | E-mail addresses:       |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com    |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net |
| Kernel Developer |                          | pgoyette at netbsd.org  |
-------------------------------------------------------------------------

Follow-Ups:
- Re: Authenticated Email (TLS?)
  - From: Matthias Scheler

References:
- Authenticated Email (TLS?)
  - From: Paul Goyette
- Re: Authenticated Email (TLS?)
  - From: Matthias Scheler
- Re: Authenticated Email (TLS?)
  - From: Paul Goyette
- Re: Authenticated Email (TLS?)
  - From: Matthias Scheler

Prev by Date: Re: No response to XDMCP queries using modular X.org xdm
Next by Date: Re: No response to XDMCP queries using modular X.org xdm
Previous by Thread: Re: Authenticated Email (TLS?)
Next by Thread: Re: Authenticated Email (TLS?)
Indexes:

Home | Main Index | Thread Index | Old Index