On Thu, 3 Sep 2015, hw wrote:
>
>
> Am 03.09.2015 um 15:37 schrieb Jeremy Harris:
> > On 03/09/15 14:17, hw wrote:
> > > server_advertise_condition = ${if def:tls_cipher }
> >
> > Ah, not quite. This option explicitly needs a string result
> > to activate:
> >
> > server_advertise_condition = ${if def:tls_cipher {yes}{no}}
>
> Thanks, I changed that. The LOGIN authenticator is now configured, too.
>
> > > After making /etc/shadow readable by the mail group, it kinda works. Is
> > > it really necessary to change permission on /etc/shadow?
> >
> > Where in the processing flow does it fail without that change?
>
> It fails when I set the MUA to use STARTTLS and "normal password"
> authentication.
>
> > > "Kinda works" means that I can now send messages via port 587 without
> > > any authentication at all, with unencrypted authentication and when
> > > using STARTTLS. Authentication and encryption must be required, though.
> >
> > So now you need to block 587 to non-auth'd use. Do that in your
> > mail-from ACL.
>
> Not acl_smtp_mailauth? I tried in acl_check_helo and only was rejected all
> the time.
Near the top of my acl_check_rcpt I have:
accept authenticated = *
control = submission
which accepts authenticated mails before rejecting relay attempts etc.
> Why is this so awfully difficult and painful? I've been dreading it for years
> ...
>
>
--
[http://pointless.net/] [0x2ECA0975]
