Bug 164013 - smtpd_tls_auth_only = yes doesn't prevent auth in non-tls mode
smtpd_tls_auth_only = yes doesn't prevent auth in non-tls mode
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: postfix (Show other bugs)
4.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-22 17:02 EDT by Harry Hoffman
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-25 06:52:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Harry Hoffman 2005-07-22 17:02:33 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
According to the documentation the use of "smtpd_tls_auth_only = yes" is supposed to prevent postfix for performing authentication when not in TLS mode.
This is not the case. Postfix will stop advertising AUTH after a ehlo in non-TLS mode but you can still provide "AUTH PLAIN ENCODED_CREDS" and, if correct, you will recieve a "235 Authentication successful".
What should happen is that you recieve a "538 Encryption required for requested authentication mechanism".

Version-Release number of selected component (if applicable):
postfix-2.1.5-4.2.RHEL4

How reproducible:
Always

Steps to Reproduce:
1. ensure smtpd_tls_auth_only = yes is set in main.conf
2. telnet to port 25 of the postfix server
3. issue AUTH PLAIN ENCODED_CREDENTIALS   (where ENCODED_CREDENTIALS are your username and password in base64 encoding)
  

Actual Results:  Authentication takes place and returns success if username and password are correct

Expected Results:  Postfix returns error stating that you must use STARTTLS to authenticate

Additional info:

wrote to postfix mailing list on 22July2005 describing the problem. Here is the answer:
Compile Postfix 2.2.[45] with TLS support. The TLS support in 2.1.5
is a 3rd-party patch and is not supported here. If you want bugfixes
for the 2.1 TLS addon, try RedHat.
Comment 1 Thomas Woerner 2005-09-08 06:19:45 EDT
Can you please give an example for this?
What exactly do you have configured in your main.cf for tls and sasl?
Comment 2 Harry Hoffman 2005-09-29 23:35:06 EDT
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_helo_restrictions = permit_sasl_authenticated, reject_unknown_hostname

smtpd_recipient_restrictions =
  permit_sasl_authenticated,
  reject_invalid_hostname,
  reject_non_fqdn_hostname,
  reject_non_fqdn_sender,
  reject_non_fqdn_recipient,
  reject_unknown_sender_domain,
  reject_unknown_recipient_domain,
  permit_mynetworks,
  reject_unauth_destination,
  reject_unauth_pipelining,
  reject_rhsbl_client blackhole.securitysage.com,
  reject_rhsbl_sender blackhole.securitysage.com,
  reject_rbl_client sbl-xbl.spamhaus.org,
  permit

smtpd_sender_login_maps = ldap:ldapsender
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch

smtpd_tls_cert_file = /etc/postfix/certs/cert.pem
smtpd_tls_key_file = /etc/postfix/certs/key.pem
smtpd_tls_CAfile = /etc/postfix/certs/cachain.pem
smtp_tls_CApath = /etc/postfix/certs
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
Comment 3 Thomas Woerner 2005-10-04 09:42:17 EDT
Could you please verify, if the problem is also present with the FC-4 postfix
package?

Maybe you'd need to rebuild from the source package.
Comment 4 Thomas Woerner 2007-03-09 11:34:36 EST
There has been an update for postfix in U4 to version 2.2.10-1.RHEL4.2.

Can you please verify if your problem still exists with the new version?
Comment 5 Thomas Woerner 2007-07-25 06:52:25 EDT
This bug entry was in needinfo for some time. Closing due to user inactivity as
"NOT A BUG".

Note You need to log in before you can comment on or make changes to this bug.