Discussion:
Exempting localhost from STARTTLS
(too old to reply)
Gerard
2009-09-09 19:19:35 UTC
Permalink
I use fetchmail to harvest mail from a couple of accounts. I added this
to the main.cf file and fetchmail stopped delivering mail.

smtpd_tls_security_level = encrypt

This was the error message:

fetchmail: SMTP error: 530 5.7.0 Must issue a STARTTLS command first
fetchmail: SMTP server requires STARTTLS, keeping message.
fetchmail: not flushed

I then added this to the main.cf file:

smtpd_sasl_exceptions_networks = localhost

I thought that would correct the problem; however, it doesn't. Mail
from the regular users on the network is delivered to the server's IP:
192.168.1.103

Is there any way I can get this to work?

~ $ postconf -n
alias_database = hash:/usr/local/etc/postfix/aliases
alias_maps = hash:/usr/local/etc/postfix/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
delay_warning_time = 2h
html_directory = no
inet_interfaces = all
mail_owner = postfix
mail_spool_directory = /var/mail
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = seibercom.net
mynetworks_style = subnet
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = no
sample_directory = /usr/local/etc/postfix
sender_dependent_relayhost_maps = hash:/usr/local/etc/postfix/sender_relay
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sasl_type = cyrus
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtp_tls_CApath = /usr/local/etc/postfix/certs
smtp_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem
smtp_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem
smtp_tls_loglevel = 2
smtp_tls_note_starttls_offer = yes
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache
smtpd_authorized_verp_clients = $mynetworks
smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination reject
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = smtpd
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtpd_tls_cert_file = /usr/local/etc/postfix/certs/postfix-cert.pem
smtpd_tls_key_file = /usr/local/etc/postfix/certs/postfix-key.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_tls_session_cache
tls_random_source = dev:/dev/urandom
transport_maps = hash:/usr/local/etc/postfix/transport
unknown_local_recipient_reject_code = 550
--
Gerard
***@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Some of the things that live the longest
in peoples' memories never really happened.
Wietse Venema
2009-09-09 19:30:45 UTC
Permalink
Post by Gerard
I use fetchmail to harvest mail from a couple of accounts. I added this
to the main.cf file and fetchmail stopped delivering mail.
smtpd_tls_security_level = encrypt
fetchmail: SMTP error: 530 5.7.0 Must issue a STARTTLS command first
fetchmail: SMTP server requires STARTTLS, keeping message.
/etc/postfix/master.cf:
192.168.1.1:smtp inet n - - - - smtpd
127.0.0.1:smtp inet n - - - - smtpd
-o smtpd_tls_security_level=may
Post by Gerard
smtpd_sasl_exceptions_networks = localhost
That controls SASL not TLS.

Wietse
Victor Duchovni
2009-09-09 19:31:06 UTC
Permalink
Post by Gerard
I use fetchmail to harvest mail from a couple of accounts. I added this
to the main.cf file and fetchmail stopped delivering mail.
smtpd_tls_security_level = encrypt
This requires all clients to use SSL/TLS.
Post by Gerard
smtpd_sasl_exceptions_networks = localhost
This suppresses SASL authentication for local hosts, but SASL is not SSL.
Post by Gerard
I thought that would correct the problem; however, it doesn't. Mail
192.168.1.103
Is there any way I can get this to work?
Try:

smtpd_tls_security_level = may

and if you want to insist that some clients use SSL/TLS, do so via
"reject_plaintext_session" after permitting clients that don't need
to use SSL/TLS:

http://www.postfix.org/postconf.5.html#reject_plaintext_session

For example:

smtpd_client_restrictions =
permit_inet_interfaces,
reject_plaintext_session
--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:***@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
Geert Hendrickx
2009-09-10 09:20:50 UTC
Permalink
Post by Gerard
I use fetchmail to harvest mail from a couple of accounts. I added
this to the main.cf file and fetchmail stopped delivering mail.
Do you actually need fetchmail to deliver mail via smtp? If you don't
need special handling by postfix and just want to drop the messages into
your mailbox, you could just as well deliver directly via procmail,
dovecot deliver or any other LDA. Or use Postfix' sendmail command line
interface.

Just add "mda /path/do/delivry/program" to your .fetchmailrc.


Geert
--
Geert Hendrickx -=- ***@telenet.be -=- PGP: 0xC4BB9E9F
This e-mail was composed using 100% recycled spam messages!
Gerard
2009-09-10 10:17:26 UTC
Permalink
On Thu, 10 Sep 2009 11:20:28 +0200
Post by Geert Hendrickx
Post by Gerard
I use fetchmail to harvest mail from a couple of accounts. I added
this to the main.cf file and fetchmail stopped delivering mail.
Do you actually need fetchmail to deliver mail via smtp? If you don't
need special handling by postfix and just want to drop the messages
into your mailbox, you could just as well deliver directly via
procmail, dovecot deliver or any other LDA. Or use Postfix' sendmail
command line interface.
Just add "mda /path/do/delivry/program" to your .fetchmailrc.
Well, for one thing, I wouldn't use Procmail if you paid me.
(Well, maybe a lot of money anyway).

Second, not all mail is received via Fetchmail.

Third, it is not my system. However, it does use clamav-milter with
Postfix. Wouldn't delivering directly Dovecot by pass virus scanning?
--
Gerard
***@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Barth's Distinction:
There are two types of people: those who divide people into two
types, and those who don't.
Gerard
2009-09-10 11:27:52 UTC
Permalink
On Wed, 9 Sep 2009 15:30:22 -0400 (EDT)
Post by Wietse Venema
Post by Gerard
I use fetchmail to harvest mail from a couple of accounts. I added
this to the main.cf file and fetchmail stopped delivering mail.
=20
smtpd_tls_security_level =3D encrypt
=20
=20
fetchmail: SMTP error: 530 5.7.0 Must issue a STARTTLS command first
fetchmail: SMTP server requires STARTTLS, keeping message.
=20
192.168.1.1:smtp inet n - - - -
smtpd 127.0.0.1:smtp inet n - - - -
smtpd -o smtpd_tls_security_level=3Dmay
=20
Post by Gerard
=20
smtpd_sasl_exceptions_networks =3D localhost
=20
That controls SASL not TLS.
=20
Wietse
I had to modify that slightly and use 192.168.1.103 instead. I received
an error about not being able to bind to the address.

Unfortunately, there still seems to be a problem. The clamav-milter is
now apparently not working correctly.

=46rom maillog:

Sep 10 07:15:18 scorpio postfix/smtpd[59459]: connect from unknown[127.0.0.=
1]
Sep 10 07:15:18 scorpio postfix/smtpd[59459]: warning: connect to Milter se=
rvice unix:/var/run/clamav/clmilter.sock: No such file or directory
Sep 10 07:15:18 scorpio postfix/smtpd[59459]: 1BF4322834: client=3Dunknown[=
127.0.0.1]

I checked, and clamav-milter is running and the file does exist:
srwxrwxr-x 1 clamav postfix 0B Sep 10 07:14 clmilter.sock=3D

In any case, I have activated the submission port and am attempting to
get all the mail users to use that instead. So far, so good.

--=20
Gerard
***@yahoo.com

TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html

Likewise, the national appetizer, brine-cured herring with raw onions,
wins few friends, Germans excepted.

Darwin Porter "Scandinavia On $50 A Day"
Wietse Venema
2009-09-10 12:32:51 UTC
Permalink
Post by Gerard
On Wed, 9 Sep 2009 15:30:22 -0400 (EDT)
Post by Wietse Venema
Post by Gerard
I use fetchmail to harvest mail from a couple of accounts. I added
this to the main.cf file and fetchmail stopped delivering mail.
smtpd_tls_security_level = encrypt
fetchmail: SMTP error: 530 5.7.0 Must issue a STARTTLS command first
fetchmail: SMTP server requires STARTTLS, keeping message.
192.168.1.1:smtp inet n - - - -
smtpd 127.0.0.1:smtp inet n - - - -
smtpd -o smtpd_tls_security_level=may
Post by Gerard
smtpd_sasl_exceptions_networks = localhost
That controls SASL not TLS.
Wietse
I had to modify that slightly and use 192.168.1.103 instead. I received
an error about not being able to bind to the address.
Unfortunately, there still seems to be a problem. The clamav-milter is
now apparently not working correctly.
Use Victor's suggestion instead.

smtpd_tls_security_level = may
smtpd_client_restrictions = permit_mynetworks, reject_plaintext_session

Wietse

Loading...