Bug 164013

Summary: smtpd_tls_auth_only = yes doesn't prevent auth in non-tls mode
Product: Red Hat Enterprise Linux 4 Reporter: Harry Hoffman <hhoffman>
Component: postfixAssignee: Thomas Woerner <twoerner>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-25 10:52:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Harry Hoffman 2005-07-22 21:02:33 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
According to the documentation the use of "smtpd_tls_auth_only = yes" is supposed to prevent postfix for performing authentication when not in TLS mode.
This is not the case. Postfix will stop advertising AUTH after a ehlo in non-TLS mode but you can still provide "AUTH PLAIN ENCODED_CREDS" and, if correct, you will recieve a "235 Authentication successful".
What should happen is that you recieve a "538 Encryption required for requested authentication mechanism".

Version-Release number of selected component (if applicable):
postfix-2.1.5-4.2.RHEL4

How reproducible:
Always

Steps to Reproduce:
1. ensure smtpd_tls_auth_only = yes is set in main.conf
2. telnet to port 25 of the postfix server
3. issue AUTH PLAIN ENCODED_CREDENTIALS   (where ENCODED_CREDENTIALS are your username and password in base64 encoding)
  

Actual Results:  Authentication takes place and returns success if username and password are correct

Expected Results:  Postfix returns error stating that you must use STARTTLS to authenticate

Additional info:

wrote to postfix mailing list on 22July2005 describing the problem. Here is the answer:
Compile Postfix 2.2.[45] with TLS support. The TLS support in 2.1.5
is a 3rd-party patch and is not supported here. If you want bugfixes
for the 2.1 TLS addon, try RedHat.
Comment 1 Thomas Woerner 2005-09-08 10:19:45 UTC 
Can you please give an example for this?
What exactly do you have configured in your main.cf for tls and sasl?
Comment 2 Harry Hoffman 2005-09-30 03:35:06 UTC 
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_helo_restrictions = permit_sasl_authenticated, reject_unknown_hostname

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  reject_invalid_hostname,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_rhsbl_client blackhole.securitysage.com,
  reject_rhsbl_sender blackhole.securitysage.com,
  reject_rbl_client sbl-xbl.spamhaus.org,
  permit

smtpd_sender_login_maps = ldap:ldapsender
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch

smtpd_tls_cert_file = /etc/postfix/certs/cert.pem
smtpd_tls_key_file = /etc/postfix/certs/key.pem
smtpd_tls_CAfile = /etc/postfix/certs/cachain.pem
smtp_tls_CApath = /etc/postfix/certs
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
Comment 3 Thomas Woerner 2005-10-04 13:42:17 UTC 
Could you please verify, if the problem is also present with the FC-4 postfix
package?

Maybe you'd need to rebuild from the source package.
Comment 4 Thomas Woerner 2007-03-09 16:34:36 UTC 
There has been an update for postfix in U4 to version 2.2.10-1.RHEL4.2.

Can you please verify if your problem still exists with the new version?
Comment 5 Thomas Woerner 2007-07-25 10:52:25 UTC 
This bug entry was in needinfo for some time. Closing due to user inactivity as
"NOT A BUG".