exclude localhost from postfix sasl, tls

Discussion in 'Installation/Configuration' started by sygram, Jul 14, 2012.

  1. sygram

    sygram Member

    Hi there,

    due to pci dss check i am trying to allow only secure connections to postfix and exclude sslv2. I've added the following lines to main.cf

    smtpd_tls_mandatory_protocols = SSLv3, TLSv1
    smtpd_tls_mandatory_ciphers = medium, high
    smtpd_tls_auth_only = yes
    smtpd_tls_security_level = encrypt

    and now as far as i can see it accepts only TLS connections. Unfortunately i can not connect simply from localhost to 25 and various web apps that do not authenticate locally can not send emails.

    So my questions are :

    1) how do i allow unencrypted and anonymous connections from localhost (as before)
    2) how do instruct dovecot to use encrypted passwords ?

    Thank you in advance.


  2. sygram

    sygram Member

    Hi there,

    only if i change smtpd_tls_security_level = encrypt to "may" i can send email from localhost as tls is not mandatory in this case.

    I am not sure how to auto authorize localhost to sasl. This is what maillog prints :

    Jul 16 14:01:56 server postfix/smtpd[7778]: connect from server[]
    Jul 16 14:01:56 server postfix/smtpd[7778]: lost connection after EHLO from server []
    Jul 16 14:01:56 server postfix/smtpd[7778]: disconnect from server[]

    i tried to add smtpd_sasl_exceptions_networks = $mynetworks where mynetworks = but nothing

    Any ideas ?
  3. sygram

    sygram Member

    any assistance will be appreciated.
  4. createch

    createch ISPConfig Developer ISPConfig Developer

    Did you try to use sendmail thru another port , e.g. 1025 (instead of using postix on port 25) to send out the email from localhost ? What is the result ?
  5. sygram

    sygram Member

    Hi createch,

    i appreciate your reply.

    I actually managed to find a solution that i am posting to save a lot of time for anyone else having the same issue.

    the solution is to change the file master.cf :

    submission inet n - n - - smtpd
    -o smtpd_enforce_tls=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    smtps inet n - n - - smtpd
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_client_restrictions=permit_mynetworks,permit_sasl_authenticated,reject

    enable submission and smtps and added permit_mynetworks accordingly. Now i use ssl over port 465.

    Everything safe and secure.


Share This Page