Confusion : smtp_tls_auth_only vs smtpd_tls_auth

Discussion:

Confusion : smtp_tls_auth_only vs smtpd_tls_auth_only

(too old to reply)

Muhammad Yousuf Khan

2015-04-08 10:55:46 UTC

it is written in books and on internet forums that in main.cf.
- *smtp_tls_auth_only* for outgoing mails or to send mails to other
Mailserver.
- *smtpd_tls_auth_only *for clients/customers sending emails to my server.

but my results are not like as mentioned.

*Test1 *- (sending email from postfix to gmail server)
smtp_tls_auth_only = may
smtpd_tls_auth_only = may
Result = Working fine.

*Test2 *- (sending email from my postfix to gmail server)
smtp_tls_auth_only = may
smtpd_tls_auth_only = encrypt
*Result = Fail with NDR* host 127.0.0.1[127.0.0.1] said: 530 5.7.0
id=21205-11 -
Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025):
530
5.7.0 Must issue a STARTTLS command first (in reply to end of DATA
command)

*comments : *since smtp_tls_auth_only is responsible for sending emails
then why it is rejecting for encryption purpose.

*Test3 *- (sending email from my postfix to gmail server)
smtp_tls_auth_only = encrypt
smtpd_tls_auth_only = may
*Result = fail with no NDR. but with this log :
*relay=127.0.0.1[127.0.0.1]:10024,
delay=0.07, delays=0.06/0.01/0/0, dsn=4.7.4, status=deferred (TLS is
required, but was not offered by host 127.0.0.1[127.0.0.1])

Comment : i know my email is not being deliver which is what i want as
Google is not set to encrypt a channel with me. but it is showing error at
my end 127.0.0.1 which is kinda confusing.

----------------------
MY GOAL:
----------------------
i want to Force client submission at 587 and MTA to MTA communication for
25 only.

with any of the above settings in example my clients can still submit to
port 25. which i dont want.

-----------------------
master.cf
----------------------

smtp inet n - - - - smtpd
#smtp inet n - - - 1 postscreen
#smtpd pass - - - - - smtpd
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#smtps inet n - - - - smtpd
# -o syslog_name=postfix/smtps
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING

-------------------------------------
postconf -n
-------------------------------------

alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
append_dot_mydomain = no
biff = no
body_checks = regexp:/etc/postfix/body_checks
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
content_filter = amavis:[127.0.0.1]:10024
dovecot_destination_recipient_limit = 1
header_checks = regexp:/etc/postfix/header_checks
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
inet_protocols = all
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
maildrop_destination_concurrency_limit = 1
maildrop_destination_recipient_limit = 1
mime_header_checks = regexp:/etc/postfix/mime_header_checks
mydestination = mail.anitbridge.com, localhost, localhost.localdomain
myhostname = mail.anitbridge.com
mynetworks = 127.0.0.0/8 [::1]/128
myorigin = /etc/mailname
nested_header_checks = regexp:/etc/postfix/nested_header_checks
owner_request_special = no
proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps
$virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains
$relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps
$recipient_canonical_maps $relocated_maps $transport_maps $mynetworks
readme_directory = /usr/share/doc/postfix
receive_override_options = no_address_mappings
recipient_delimiter = +
relay_domains = mysql:/etc/postfix/mysql-virtual_relaydomains.cf
relay_recipient_maps = mysql:/etc/postfix/
mysql-virtual_relayrecipientmaps.cf
relayhost =
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_security_level = encrypt
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
smtpd_client_message_rate_limit = 100
smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
mysql-virtual_client.cf
smtpd_recipient_restrictions = reject_rbl_client zen.spamhaus.org,
permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination,
check_recipient_access mysql:/etc/postfix/mysql-virtual_recipient.cf
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/
mysql-virtual_sender.cf
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
transport_maps = hash:/var/lib/mailman/data/transport-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_transports.cf
virtual_alias_domains =
virtual_alias_maps = hash:/var/lib/mailman/data/virtual-mailman,
proxy:mysql:/etc/postfix/mysql-virtual_forwardings.cf,
proxy:mysql:/etc/postfix/mysql-virtual_email2email.cf
virtual_gid_maps = static:5000
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql-virtual_domains.cf
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql-virtual_mailboxes.cf
virtual_transport = dovecot
virtual_uid_maps = static:5000

any help in this regard will be highly appreciated.

Thanks,
Yousuf

Viktor Dukhovni

2015-04-08 12:37:31 UTC

Permalink

Post by Muhammad Yousuf Khan
it is written in books and on internet forums that in main.cf.
- *smtp_tls_auth_only* for outgoing mails or to send mails to other

Any such books are wrong, and "forums" are full of clueless cargo-cult
advice. There is "smtp_tls_auth_only" parameter in Postfix.

Post by Muhammad Yousuf Khan
Mailserver.
- *smtpd_tls_auth_only *for clients/customers sending emails to my server.

This parameter exists, and controls whether the Postfix SMTP server
allows SASL logins via unecrypted connections.

Post by Muhammad Yousuf Khan
*Test1 *- (sending email from postfix to gmail server)
smtp_tls_auth_only = may
smtpd_tls_auth_only = may

The first parameter is fictional and is ignored, the second can
only be set to "no" or "yes" and is used when receiving mail. Your
SMTP server might not work with that bogus "may" setting.

The parameters that take one of the values "none, may, encrypt, ..."
are:

smtp_tls_security_level = may
smtpd_tls_security_level = may

and control the use of TLS encryption, not SASL user authentication.

Post by Muhammad Yousuf Khan
*Test3 *- (sending email from my postfix to gmail server)
smtp_tls_auth_only = encrypt

Surely that was actually "smtp_tls_security_level = encrypt".

Post by Muhammad Yousuf Khan
relay=127.0.0.1[127.0.0.1]:10024,
delay=0.07, delays=0.06/0.01/0/0, dsn=4.7.4, status=deferred (TLS is
required, but was not offered by host 127.0.0.1[127.0.0.1])

Well, you need to either explicitly disable mandatory TLS for the
transport used to content-filter your mail, or make TLS mandatory
*only* for the gmail relay via:

http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

--
Viktor.

Viktor Dukhovni

2015-04-08 12:57:49 UTC

Permalink

Post by Muhammad Yousuf Khan
-----------------------
master.cf
----------------------
#dnsblog unix - - - - 0 dnsblog
#tlsproxy unix - - - - 0 tlsproxy
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

Where's the port 25(smtp) inet service?

Post by Muhammad Yousuf Khan
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
# -o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

Make that:

submission inet n - n - - smtpd
-o syslog_name=submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING

Post by Muhammad Yousuf Khan
-------------------------------------
postconf -n
-------------------------------------
content_filter = amavis:[127.0.0.1]:10024
smtp_tls_protocols = !SSLv2,!SSLv3
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = encrypt

Replace the last line with:

smtp_tls_security_level = may

--
Viktor.

Muhammad Yousuf Khan

2015-04-08 18:59:56 UTC

Permalink

I really hate my self when i do some thing confidently and doing it very
wrong. actually the parameter i typed in over all examples were wrong. the
correct one is "smtp_tls_security_level and smtpd_tls_security_level" and
ofcouse you may have notice them in my "postconf -n". anyways mistake is a
mistake.

now can you please explain these wrong result in light of above

Where's the port 25(smtp) inet service?

do you mean this line "smtp inet n - n - - smtpd -v"sorry i missed it. it
was at the top and i copied the lower end of the file.

Post by Muhammad Yousuf Khan

submission inet n - n - - smtpd
-o syslog_name=submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATIN

Ok i also uncommitted as suggested.

here are main.cf parameters that you wanted me to change
# cat /etc/postfix/main.cf | grep level
smtp_tls_security_level = may
smtpd_tls_security_level = encrypt

here is the master.cf that i uncommitted as per your suggestion.

-o smtpd_tls_security_level=encrypt

Now i am getting NDR like this.
<***@gmail.com>: host 127.0.0.1[127.0.0.1] said: 530 5.7.0 id=30222-02 -
Rejected by next-hop MTA on relaying, from MTA(smtp:[127.0.0.1]:10025):
530
5.7.0 Must issue a STARTTLS command first (in reply to end of DATA
command)

actually i am confused that in books it is said that

smtp_tls_security_level is for MTA to MTA communication

and

smtpd_tls_security_level is for client to MTA communication.
no matter if these are mention in master.conf the purpose remain the same.

and i have set "may" on smtp not smtpd parameter. then why smtpd parameter
value "encrypt" is colliding or messing the smtp work?
This is my actual confusion maybe i am wrong with the concept or i am doing
it wrong.

the the point which is actually catching my attention is that when i change
the value of smtpd_tls_security_level = may and smtp_tls_security_level =
may (mean both set to "may") and commit the line "-o
smtpd_tls_security_level = encrypt in master.cf"
every thing back to normal but my problem is on port 25 my client can
connect and even sand email which i dont want i want my clients to force
submission on port 587 only.

any help will be highly appreciated.

Thanks,
Yousfu

Noel Jones

2015-04-08 19:29:43 UTC

Permalink

Post by Muhammad Yousuf Khan
I really hate my self when i do some thing confidently and doing it
very wrong. actually the parameter i typed in over all examples were
wrong. the correct one is "smtp_tls_security_level
and smtpd_tls_security_level" and ofcouse you may have notice them
in my "postconf -n". anyways mistake is a mistake.
now can you please explain these wrong result in light of above
Where's the port 25(smtp) inet service?
do you mean this line "smtp inet n - n - - smtpd -v"sorry i missed
it. it was at the top and i copied the lower end of the file.

remove the "-v" verbose logging. It won't help solve this problem,
and will hide other problems in the flood.

Post by Muhammad Yousuf Khan
here are main.cf <http://main.cf> parameters that you wanted me to
change
# cat /etc/postfix/main.cf <http://main.cf> | grep level
smtp_tls_security_level = may

OK.

Post by Muhammad Yousuf Khan
smtpd_tls_security_level = encrypt

NO, this must be set to either may or no.

Post by Muhammad Yousuf Khan
here is the master.cf <http://master.cf> that i uncommitted as per
your suggestion.
-o smtpd_tls_security_level=encrypt
Now i am getting NDR like this.
127.0.0.1[127.0.0.1] said: 530 5.7.0 id=30222-02 -
Rejected by next-hop MTA on relaying, from
MTA(smtp:[127.0.0.1]:10025): 530
5.7.0 Must issue a STARTTLS command first (in reply to end of
DATA command)

Because you require encryption, and your content_filter does not
support (or isn't configured for) encryption.

set main.cf "smtpd_tls_security_level = may" to fix this.

Post by Muhammad Yousuf Khan
actually i am confused that in books it is said that
smtp_tls_security_level is for MTA to MTA communication

This is for your server sending mail out, which will usually be to
another MTA or a content_filter. Set it to "may" because the
receiving system might not support encryption.

Post by Muhammad Yousuf Khan
and
smtpd_tls_security_level is for client to MTA communication.
no matter if these are mention in master.conf the purpose remain the
same.

This is for receiving mail, which may be from another MTA, a
content_filter, or a client. Set it to "may" because the sending
system might not support encryption.

Post by Muhammad Yousuf Khan
and i have set "may" on smtp not smtpd parameter. then why smtpd
parameter value "encrypt" is colliding or messing the smtp work?
This is my actual confusion maybe i am wrong with the concept or i
am doing it wrong.
the the point which is actually catching my attention is that when i
change the value of smtpd_tls_security_level = may and
smtp_tls_security_level = may (mean both set to "may") and commit
the line "-o smtpd_tls_security_level = encrypt in master.cf
<http://master.cf>"
every thing back to normal but my problem is on port 25 my client
can connect and even sand email which i dont want i want my clients
to force submission on port 587 only.

To enforce encryption for your users even when using port 25, set in
main.cf:
smtpd_tls_auth_only = yes

-- Noel Jones

Muhammad Yousuf Khan

2015-04-09 11:13:53 UTC

Permalink

Thanks Neol you cleared my big confusion i thought 25 is for MTA and 587
will never receive email from MTA. thanks for that.

now one last question.

my master.cf has set
-o smtpd_tls_security_level=encrypt

it is said that when parameters are set in master.cf they override main.cf
parameter.

now i set. main.cf parameters.
smtp_tls_security_level=may
smtpd_tls_security_level=may

i believe that if master.cf parameter set as "-o
smtpd_tls_security_level=encrypt" it should throw the same error as if this
parameter set in main.cf
however now my mails are properly working and master.cf not overriding it.

can you please throw some light on this.

Thanks,
Yousuf

Noel Jones

2015-04-09 13:55:18 UTC

Permalink

Post by Muhammad Yousuf Khan
Thanks Neol you cleared my big confusion i thought 25 is for MTA and
587 will never receive email from MTA. thanks for that.

Other MTAs will always connect to port 25; smtpd_tls_security_level
must be set to "may" on port 25, or as the main.cf setting.

Port 587 will only be used by clients, unauthenticated connections
should be rejected; -o smtpd_tls_security_level=encrypt should be
set on the master.cf submission service to require TLS from clients.

Clients may also connect to port 25 if your local policy allows it,
although most sites require clients use 587. So you can set main.cf
"smtpd_tls_auth_only = yes" to require that clients use TLS before
they can use AUTH.

Post by Muhammad Yousuf Khan
now one last question.
my master.cf <http://master.cf> has set
-o smtpd_tls_security_level=encrypt

I'm going to assume this override is under the "submission" service.
Too bad you left out that important detail.

Post by Muhammad Yousuf Khan
it is said that when parameters are set in master.cf
<http://master.cf> they override main.cf <http://main.cf> parameter.

Yes, that is correct, but only for the service the parameter appears
under.

Post by Muhammad Yousuf Khan
now i set. main.cf <http://main.cf> parameters.
smtp_tls_security_level=may
smtpd_tls_security_level=may

The main.cf parameter sets the security level for services in
master.cf that do not have an -o override, such as the "smtp"
service that listens on port 25, and your content_filter listener on
10025.

Post by Muhammad Yousuf Khan
i believe that if master.cf <http://master.cf> parameter set as "-o
smtpd_tls_security_level=encrypt" it should throw the same error as
if this parameter set in main.cf <http://main.cf>
however now my mails are properly working and master.cf
<http://master.cf> not overriding it.

The master.cf -o overrides are only used by the services they appear
under.

-- Noel Jones

Muhammad Yousuf Khan

2015-04-09 18:08:31 UTC

Permalink

Thanks Neol understood :) your knowledge really helped me and i appreciate
that.

Thanks again.