1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Postfix Requires TLS

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by TolgaK, Dec 8, 2010.

  1. TolgaK

    TolgaK Guest

    0
     
    Hello,

    I'm Using Plesk 10.0.1 on my Debian 5.0 Server.

    After upgrade i have switch to postfix from qmail. currently postfix requires TLS for SMTP connections. Users can not login to SMTP server without a secure TLS connection.

    By the way webmail clients like Roundcube or Horde continues to work.

    Firstly how can i configure postfix not to require TLS for connections?

    Secondly i want to secure TLS with an valid SSL certificate. Must i setup SSL to domain.com or mail.domain.com? (Note that ssl certificate is not wildcard)

    Thanks
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,543
    Likes Received:
    1,240
    Location:
    Novosibirsk, Russia
  3. tolginho

    tolginho Guest

    0
     
    Solution

    Edit /etc/postfix/master.cf file

    Original Value is like that:

    submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encyrpt-o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.$

    Change it as like as this one

    submission inet n - - - - smtpd -o smtpd_enforce_tls=no -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.$

    Then start postfix, that removes STARTTLS requirement at postfix submission service.
     
  4. hgmichna

    hgmichna Basic Pleskian

    24
    23%
    Joined:
    Oct 3, 2008
    Messages:
    69
    Likes Received:
    0
    Location:
    Munich, Germany
    Thanks a lot! That did it.

    I consider this a Plesk defect.

    By the way, the command to make postfix accept the changed settings is:

    postfix reload
     
  5. LiandelloH

    LiandelloH Guest

    0
     
    I thought I would uninstall the current installed courier-authlib, but if I try to uninstall it with you erase, it tells me it is going to erase a lot of packages which depend upon it, which are all Plesk-related packages.
    Though I am fine with being unable to manage email accounts with Plesk, I don't want to uninstall so much of Plesk (it looks like it is going to uninstall the whole Plesk!).
    So the question is, is there a way to get more authentication modules for courier-imap to work without uninstalling anything of Plesk? If so, how? I think the mysql authentication module would be ok for me.
     
    Last edited by a moderator: Jun 14, 2012
  6. Frater

    Frater Regular Pleskian

    18
     
    Joined:
    Oct 17, 2011
    Messages:
    173
    Likes Received:
    3
    Today I was trying to find out why Apple Mail was not able to mail using authentication over port 587 with ssl enabled on a Plesk server.

    I used tcpdump -nnA host <smtp-client> to see what was happening when I tried to send a mail. It did an EHLO and then it gave a message that's typical for greylisting.

    In its original configuration it will not give "AUTH DIGEST-MD5 LOGIN CRAM-MD5 PLAIN" as an option after giving an "EHLO". I guess it doesn't because authorization is only possible after giving a STARTTLS, but I have the feeling this confuses Apple Mail.

    Changing the line according to tolginho's post will give you the "AUTH line" back, but it still didn't work with Apple Mail. I finally gave up and turned off port 587 and let ASSP (anti-spam proxy) handle port 587.
    ASSP is able to manipulate the dialogue and will insert a STARTTLS even if the SMTP-server isn't able to do that. It will also make sure an AUTH is being done (and acknowledged) before it will allow further transmission.

    I still don't know why Apple Mail still doesn't authenticate after I changed that line in postfix, but the moment I let ASSP handle the mail it went flying....
     
Loading...