Postfix TLS authentication not enabled [closed]

tls postfix

You might have added smtpd_tls_auth_only=yes onto your main.cf ?

This option enables that authentication occurs only after tls is set up.

Therefore if you telnet to your smtp port then issue an auth command you will get that not enabled error since it is still not a tls connection at this time.


As you don't see anything in your postfix log, at least postfix must be configured incorrectly.

First, confirm that Dovecot is configured (in dovecot.conf) with something like:

auth default {
    mechanisms = plain login
    passdb pam {
    }
    userdb passwd {
    }
    user = root
    socket listen {
      client {
        path = /var/spool/postfix/private/auth
        mode = 0660
        user = postfix
        group = postfix
      }
    }
}

Confirm the following in your postfix main.cf:

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
smtpd_sender_restrictions = permit_sasl_authenticated`

and in master.cf, make sure that your submission port offers the SASL service. You can put this in your smtp service for auth on port 25, but this is unusual. You should also put it in your smtps service for encrypted access:

submission inet n - - - - smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth
  -o smtpd_sasl_security_options=noanonymous
  -o smtpd_sasl_local_domain=$myhostname
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o smtpd_sender_restrictions=reject_sender_login_mismatch
  -o smtpd_recipient_restrictions=reject_non_fqdn_recipient,reject_unknown_recipient_domain,permit_sasl_authenticated,reject

There are two different things.

1: SSL/TLS support

2: authentication

They are independent, i.e. it is possible to have one of them, without the other. Of course it is much better, if authentication happens only over an already encrypted channel.

Probably your postfix doesn't have the second one (the auth), only TLS.

Authentication on postfix happens through the sasl authentication daemon, which also needs to be configured.

mxtoolbox says everything is O.K., because it doesn't check the auth, only the encryption.

Related

Wildcard certificate problem
DELL OpenManage 7.3 on ESXi5.1
FBWC and Zero Memory (ZM) RAID Controller on HP DL360p
How do I get Nginx to pass authentication on to IIS as a reverse proxy?
What are the problems with running a file server (FreeNAS) in a VM?
Postfix won't pipe to PHP file through aliases file
Website hosting from home - IIS6
How to determine HP Smart Array model?
Strange format-list behavior in this PowerShell script
top, w, ps showing wrong CPU times
Freeing up disk space
Why does mpstat show different values when I use the interval setting?