Bug 164013 - smtpd_tls_auth_only = yes doesn't prevent auth in non-tls mode
smtpd_tls_auth_only = yes doesn't prevent auth in non-tls mode
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: postfix (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-07-22 17:02 EDT by Harry Hoffman
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-07-25 06:52:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Harry Hoffman 2005-07-22 17:02:33 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
According to the documentation the use of "smtpd_tls_auth_only = yes" is supposed to prevent postfix for performing authentication when not in TLS mode.
This is not the case. Postfix will stop advertising AUTH after a ehlo in non-TLS mode but you can still provide "AUTH PLAIN ENCODED_CREDS" and, if correct, you will recieve a "235 Authentication successful".
What should happen is that you recieve a "538 Encryption required for requested authentication mechanism".

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. ensure smtpd_tls_auth_only = yes is set in main.conf
2. telnet to port 25 of the postfix server
3. issue AUTH PLAIN ENCODED_CREDENTIALS   (where ENCODED_CREDENTIALS are your username and password in base64 encoding)

Actual Results:  Authentication takes place and returns success if username and password are correct

Expected Results:  Postfix returns error stating that you must use STARTTLS to authenticate

Additional info:

wrote to postfix mailing list on 22July2005 describing the problem. Here is the answer:
Compile Postfix 2.2.[45] with TLS support. The TLS support in 2.1.5
is a 3rd-party patch and is not supported here. If you want bugfixes
for the 2.1 TLS addon, try RedHat.
Comment 1 Thomas Woerner 2005-09-08 06:19:45 EDT
Can you please give an example for this?
What exactly do you have configured in your main.cf for tls and sasl?
Comment 2 Harry Hoffman 2005-09-29 23:35:06 EDT
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_local_domain =
smtpd_helo_restrictions = permit_sasl_authenticated, reject_unknown_hostname

smtpd_recipient_restrictions =
  reject_rhsbl_client blackhole.securitysage.com,
  reject_rhsbl_sender blackhole.securitysage.com,
  reject_rbl_client sbl-xbl.spamhaus.org,

smtpd_sender_login_maps = ldap:ldapsender
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch

smtpd_tls_cert_file = /etc/postfix/certs/cert.pem
smtpd_tls_key_file = /etc/postfix/certs/key.pem
smtpd_tls_CAfile = /etc/postfix/certs/cachain.pem
smtp_tls_CApath = /etc/postfix/certs
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
Comment 3 Thomas Woerner 2005-10-04 09:42:17 EDT
Could you please verify, if the problem is also present with the FC-4 postfix

Maybe you'd need to rebuild from the source package.
Comment 4 Thomas Woerner 2007-03-09 11:34:36 EST
There has been an update for postfix in U4 to version 2.2.10-1.RHEL4.2.

Can you please verify if your problem still exists with the new version?
Comment 5 Thomas Woerner 2007-07-25 06:52:25 EDT
This bug entry was in needinfo for some time. Closing due to user inactivity as

Note You need to log in before you can comment on or make changes to this bug.