SASL – autoryzacja zewnętrznych klientów
https://www.postfix.org/SASL_README.html
https://tools.ietf.org/html/rfc4954
# postconf -a
cyrus
dovecotSocket autoryzacji Dovecot
conf.d/10-master.conf
service auth {
...
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
...
}
conf.d/10-auth.conf
auth_mechanisms = plain login
# echo -ne '\000user\000hasło' | openssl base64 AGphbnWzegBteDM1cGwwMQ==
# telnet mail.h25.pl 25
Trying 176.107.131.222...
Connected to h25.pl.
Escape character is '^]'.
220 mail.h25.pl ESMTP
ehlo klient.h25.pl
250-mail.h27.pl
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
AUTH PLAIN AGphbnWzegBteDM1cGwwMQ==
235 2.7.0 Authentication successful
# openssl s_client -connect mail.h25.pl:25 -starttls smtp
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = h25.pl
verify return:1
—
Certificate chain
0 s:CN = h25.pl
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIFRTCCBC2gAwIBAgISAxE3owuJe3Q9+Mp9/GTaS4ZWMA0GCSqGSIb3DQEBCwUA
…..
1sczbFkvYh3LWa+967Fd1tZMnBtMh158bOhqbvT0RhPBNHuuGg0jTK5Sz5UT8F/f
2TmmD/zF9S2K
—–END CERTIFICATE—–
subject=CN = h25.plissuer=C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3—
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
—
SSL handshake has read 3437 bytes and written 772 bytes
Verification: OK
—
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
—
250 SMTPUTF8
—
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 07D92640CC3740E29E9C43A74D3764979F3B855E702D000ECFD6F1E125149167
Session-ID-ctx:
Resumption PSK: 03DE338AF6ED0E458C9892A9FD2AA39CAEC9D2884BCC58042DF2980C088AD85DDB341373166AC78FD37B4468D60EEB3E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 – 85 57 24 e8 3f 75 ce 09-21 32 6e 9d 10 18 f7 73 .W$.?u..!2n….s
…………………
00c0 – 88 6a 50 3e 66 77 c6 eb-3c 87 60 3c 1d 43 65 72 .jP>fw..<.`<.CerStart Time: 1551085233
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
—
read R BLOCK
—
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 576D6191C6ED206CD87190859564AE4BD9A548BF54EF672255AE90BC1AEB4CC5
Session-ID-ctx:
Resumption PSK: 3EFC7DFEBEBF63D4AF9EFDF5EDE3B65170FAB3E49EFFD94318750EEFEDA7AEC2208805E02CA14C859CD009048EDD3356
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 – 85 57 24 e8 3f 75 ce 09-21 32 6e 9d 10 18 f7 73 .W$.?u..!2n….s
…………………………………
00c0 – 22 d1 e6 a0 b4 ab b7 00-2b 4e f2 31 a3 b4 0c 69 „…….+N.1…iStart Time: 1551085233
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
—
read R BLOCK
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = h25.pl
verify return:1
—
Certificate chain
0 s:CN = h25.pl
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
—
Server certificate
—–BEGIN CERTIFICATE—–
MIIFRTCCBC2gAwIBAgISAxE3owuJe3Q9+Mp9/GTaS4ZWMA0GCSqGSIb3DQEBCwUA
…..
1sczbFkvYh3LWa+967Fd1tZMnBtMh158bOhqbvT0RhPBNHuuGg0jTK5Sz5UT8F/f
2TmmD/zF9S2K
—–END CERTIFICATE—–
subject=CN = h25.plissuer=C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3—
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
—
SSL handshake has read 3437 bytes and written 772 bytes
Verification: OK
—
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
—
250 SMTPUTF8
—
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 07D92640CC3740E29E9C43A74D3764979F3B855E702D000ECFD6F1E125149167
Session-ID-ctx:
Resumption PSK: 03DE338AF6ED0E458C9892A9FD2AA39CAEC9D2884BCC58042DF2980C088AD85DDB341373166AC78FD37B4468D60EEB3E
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 – 85 57 24 e8 3f 75 ce 09-21 32 6e 9d 10 18 f7 73 .W$.?u..!2n….s
…………………
00c0 – 88 6a 50 3e 66 77 c6 eb-3c 87 60 3c 1d 43 65 72 .jP>fw..<.`<.CerStart Time: 1551085233
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
—
read R BLOCK
—
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 576D6191C6ED206CD87190859564AE4BD9A548BF54EF672255AE90BC1AEB4CC5
Session-ID-ctx:
Resumption PSK: 3EFC7DFEBEBF63D4AF9EFDF5EDE3B65170FAB3E49EFFD94318750EEFEDA7AEC2208805E02CA14C859CD009048EDD3356
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 – 85 57 24 e8 3f 75 ce 09-21 32 6e 9d 10 18 f7 73 .W$.?u..!2n….s
…………………………………
00c0 – 22 d1 e6 a0 b4 ab b7 00-2b 4e f2 31 a3 b4 0c 69 „…….+N.1…iStart Time: 1551085233
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
—
read R BLOCK