Stefano Rivera (Posts about postfix)

s_client's R "feature"

Stefano Rivera — Tue, 17 Jul 2007 12:28:50 GMT

I've just spent a few hours brain-haemorrhaging over why my new Postfix server wasn't allowing me to enter "RCPT TO:" over a STARTTLS connection. Instead it would renegotiate the TLS.

Eventually I found an e-mail by Wietse Venema saying:

Victor Duchovni:
> On Mon, Jan 22, 2007 at 04:31:12PM -0500, Wietse Venema wrote: 
> > RCPT TO:<postmaster>
> > RENEGOTIATING
>
> You got bit by the "s_client" "R" feature... try "rcpt to:" lower case,
> then it hangs up.

What utter brain damage, a non-transparent SSL client program.

Read this and be warned -- we are all stupid, in the eyes of the truly mad s_client

Postfix + SMTP-AUTH

Stefano Rivera — Fri, 23 Feb 2007 15:18:12 GMT

I finally found a good blog post on the subject of getting Postfix to do SMTP-AUTH via SASL.

I went one step further, and instead of moving /var/run/saslauthd/ to the Postfix chroot, I did a bind mount:

/etc/fstab:

/var/run/saslauthd /var/spool/postfix/var/run/saslauthd none bind 0     0

Postfix was announcing methods like CRAM-MD5 which can't be supported by the PAM backend, so I restricted them down to PLAIN and LOGIN (over TLS only, obviously):

/etc/postfix/sasl/smtpd.conf:

pwcheck_method: saslauthd
mech_list: plain login

Now, it's working nicely, and I can IMAPS and SMTP-AUTH-TLS to my mail server from anywhere.