Postfix Requires TLS

[TolgaK]

Hello,

I'm Using Plesk 10.0.1 on my Debian 5.0 Server.

After upgrade i have switch to postfix from qmail. currently postfix requires TLS for SMTP connections. Users can not login to SMTP server without a secure TLS connection.

By the way webmail clients like Roundcube or Horde continues to work.

Firstly how can i configure postfix not to require TLS for connections?

Secondly i want to secure TLS with an valid SSL certificate. Must i setup SSL to domain.com or mail.domain.com? (Note that ssl certificate is not wildcard)

Thanks

 

[IgorG]

http://kb.odin.com/en/7013

 

[tolginho]

Solution

Edit /etc/postfix/master.cf file

Original Value is like that:

submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_tls_security_level=encyrpt-o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.$

Change it as like as this one

submission inet n - - - - smtpd -o smtpd_enforce_tls=no -o smtpd_tls_security_level=may -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_sender_restrictions= -o smtpd_proxy_filter=127.$

Then start postfix, that removes STARTTLS requirement at postfix submission service.

 

[hgmichna]

Edit /etc/postfix/master.cf file
...
Then start postfix, that removes STARTTLS requirement at postfix submission service.

Thanks a lot! That did it.

I consider this a Plesk defect.

By the way, the command to make postfix accept the changed settings is:

postfix reload

 

[LiandelloH]

I thought I would uninstall the current installed courier-authlib, but if I try to uninstall it with you erase, it tells me it is going to erase a lot of packages which depend upon it, which are all Plesk-related packages.
Though I am fine with being unable to manage email accounts with Plesk, I don't want to uninstall so much of Plesk (it looks like it is going to uninstall the whole Plesk!).
So the question is, is there a way to get more authentication modules for courier-imap to work without uninstalling anything of Plesk? If so, how? I think the mysql authentication module would be ok for me.

 

[Frater]

Today I was trying to find out why Apple Mail was not able to mail using authentication over port 587 with ssl enabled on a Plesk server.

I used tcpdump -nnA host <smtp-client> to see what was happening when I tried to send a mail. It did an EHLO and then it gave a message that's typical for greylisting.

In its original configuration it will not give "AUTH DIGEST-MD5 LOGIN CRAM-MD5 PLAIN" as an option after giving an "EHLO". I guess it doesn't because authorization is only possible after giving a STARTTLS, but I have the feeling this confuses Apple Mail.

Changing the line according to tolginho's post will give you the "AUTH line" back, but it still didn't work with Apple Mail. I finally gave up and turned off port 587 and let ASSP (anti-spam proxy) handle port 587.
ASSP is able to manipulate the dialogue and will insert a STARTTLS even if the SMTP-server isn't able to do that. It will also make sure an AUTH is being done (and acknowledged) before it will allow further transmission.

I still don't know why Apple Mail still doesn't authenticate after I changed that line in postfix, but the moment I let ASSP handle the mail it went flying....