Red Hat Bugzilla – Bug 164013
smtpd_tls_auth_only = yes doesn't prevent auth in non-tls mode
Last modified: 2007-11-30 17:07:19 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4
Description of problem:
According to the documentation the use of "smtpd_tls_auth_only = yes" is supposed to prevent postfix for performing authentication when not in TLS mode.
This is not the case. Postfix will stop advertising AUTH after a ehlo in non-TLS mode but you can still provide "AUTH PLAIN ENCODED_CREDS" and, if correct, you will recieve a "235 Authentication successful".
What should happen is that you recieve a "538 Encryption required for requested authentication mechanism".
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. ensure smtpd_tls_auth_only = yes is set in main.conf
2. telnet to port 25 of the postfix server
3. issue AUTH PLAIN ENCODED_CREDENTIALS (where ENCODED_CREDENTIALS are your username and password in base64 encoding)
Actual Results: Authentication takes place and returns success if username and password are correct
Expected Results: Postfix returns error stating that you must use STARTTLS to authenticate
wrote to postfix mailing list on 22July2005 describing the problem. Here is the answer:
Compile Postfix 2.2. with TLS support. The TLS support in 2.1.5
is a 3rd-party patch and is not supported here. If you want bugfixes
for the 2.1 TLS addon, try RedHat.
Can you please give an example for this?
What exactly do you have configured in your main.cf for tls and sasl?
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_helo_restrictions = permit_sasl_authenticated, reject_unknown_hostname
smtpd_sender_login_maps = ldap:ldapsender
smtpd_sender_restrictions = permit_mynetworks, reject_sender_login_mismatch
smtpd_tls_cert_file = /etc/postfix/certs/cert.pem
smtpd_tls_key_file = /etc/postfix/certs/key.pem
smtpd_tls_CAfile = /etc/postfix/certs/cachain.pem
smtp_tls_CApath = /etc/postfix/certs
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_loglevel = 0
smtpd_tls_received_header = yes
Could you please verify, if the problem is also present with the FC-4 postfix
Maybe you'd need to rebuild from the source package.
There has been an update for postfix in U4 to version 2.2.10-1.RHEL4.2.
Can you please verify if your problem still exists with the new version?
This bug entry was in needinfo for some time. Closing due to user inactivity as
"NOT A BUG".