NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Authenticated Email (TLS?)
I think I'm making progress... But still not working.
When I try to start a TLS session from the client (a 'droid phone), I
get an error report from postfix.
Out: 220 screamer.whooppee.com ESMTP Postfix
In: EHLO localhost
Out: 250-screamer.whooppee.com
Out: 250-PIPELINING
Out: 250-SIZE 10240000
Out: 250-ETRN
Out: 250-STARTTLS
Out: 250-ENHANCEDSTATUSCODES
Out: 250-8BITMIME
Out: 250 DSN
In: STARTTLS
Out: 454 4.7.0 TLS not available due to local problem
Out: 421 4.4.2 screamer.whooppee.com Error: timeout exceeded
In my /var/log/maillog I get
Nov 6 13:35:29 screamer postfix/smtpd[25338]: warning: No server certs
available. TLS won't be enabled
Nov 6 13:35:29 screamer postfix/smtpd[25338]: connect from
wifi[66.92.186.139]
...
Nov 6 13:40:30 screamer postfix/smtpd[25338]: timeout after STARTTLS
from wifi[66.92.186.139]
Nov 6 13:40:30 screamer postfix/smtpd[25338]: disconnect from
wifi[66.92.186.139]
My dovecot config looks like this:
{248} dovecot -n
# 2.0.13: /usr/pkg/etc/dovecot/dovecot.conf
# OS: NetBSD 5.99.55 amd64
auth_mechanisms = plain login
listen = *
passdb {
driver = passwd
}
protocols =
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
ssl_cert = /etc/openssl/certs/dovecot.pem
ssl_key = /etc/openssl/private/dovecot.pem
userdb {
driver = passwd
}
I used the mkcert.sh script to create a self-signed certificate, and
placed it in the /etc/openssl/{certs,private}/dovecot.pem as specified
in the configuration.
And finally, my postfix config has been modified to include
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o smtpd_sasl_security_options=noanonymous
-o smtpd_sasl_local_domain=$mydomain
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o smtpd_sender_restrictions=reject_sender_login_mismatch
-o
smtpd_recipient_restrictions=reject_unknown_recipient_domain,reject_non_fqdn_recipient,permit_sasl_authenticated,reject
I'm obviously missing something, but would appreciate any clues on how
to make it find and use the certs.
On Sun, 6 Nov 2011, Matthias Scheler wrote:
On Sun, Nov 06, 2011 at 07:26:33AM -0800, Paul Goyette wrote:
I think that all I need is to get the mail/dovecot package
You should really use the "mail/dovecot2" package.
Yes, I have installed dovecot2.0.13nb2 from pkgsrc
Good.
installed and running (plus some changes to postfix
configuration), > but the instructions are rather lengthy and
intimidating.
Which instructions did you look at? The instructions in the
Dovecot Wiki are IMHO quite simple:
http://wiki2.dovecot.org/HowTo/PostfixAndDovecotSASL
I was reading the /usr/share/examples/postfix/SASL_README
That's a bit too generic.
The above WiKi is certainly helpful for getting postfix set up, but
I guess I need more help just getting dovecot itself configured and
running. I'll see if I can navigate the Dovecot Wiki ...
No, that page explains pretty much everything. Here is the full
"dovecot.conf" that I'm using:
auth_mechanisms = cram-md5 digest-md5 plain login
listen = *, [::]
#mail_debug = yes
mail_location = mbox:~/Mail:INBOX=/var/mail/%u
passdb {
args = /etc/pkg/dovecot/passwd
driver = passwd-file
}
pop3_uidl_format = %08Xv%08Xu
protocols = imap pop3
service auth {
unix_listener /var/spool/postfix/private/auth {
group = postfix
mode = 0660
user = postfix
}
}
ssl = yes
ssl_cert = </etc/openssl/certs/dovecot.pem
ssl_key = </etc/openssl/private/dovecot.pem
userdb {
driver = passwd
}
This is good enough to get SMTP auth, POP3(S) and IMAP(S) working.
I use a separate password file which is necessary for challenge
response authentication method like CRAM-MD5. It also has the
advantage that I can have accounts with a valid shell (for pipe
mailer usage) which still cannot login via SSH as the account
is locked in "master.passwd".
Kind regards
--
Matthias Scheler http://zhadum.org.uk/
!DSPAM:4eb6b56d1962121711234!
-------------------------------------------------------------------------
| Paul Goyette | PGP Key fingerprint: | E-mail addresses: |
| Customer Service | FA29 0E3B 35AF E8AE 6651 | paul at whooppee.com |
| Network Engineer | 0786 F758 55DE 53BA 7731 | pgoyette at juniper.net |
| Kernel Developer | | pgoyette at netbsd.org |
-------------------------------------------------------------------------
Home |
Main Index |
Thread Index |
Old Index