I have a mail server running on Centos 7.2 which has been working for my LAN for a long time.
I'm at the point where I have to make it accessible to the internet. At the moment, access can be insecure but as it's on my LAN it isn't an issue.
However, for internet access I wish to force SSL/TLS. Having read the documents I think it's as simple as changing 10-ssl.conf from
ssl = yes
to
ssl = required remote 10.0.0.0/8 { ssl = yes }
Am I right in thinking that this would make the global value now force SSL/TLS to be required, but for my LAN (10.0.0.0/8) override this with the old value of 'yes'
Is there a better way to do this? Have I missed anything? I believe that this means implies
disable_plaintext_auth = no
for all except my LAN. Is that right?
I've tried the changes that I put below. Users are still able to log in from the LAN.
However, despite putting the appropriate rule in my firewall allowing port 143 I cannot create a user on a PC outside my network.
I'm using Thunderbird to do the testing. Is there a better way to test my setup? Thunderbird doesn't give any diagnostic data, it just says it's failed to test the account.
On Thursday 05 May 2016 11:03:34 Gary Stainburn wrote:
I have a mail server running on Centos 7.2 which has been working for my LAN for a long time.
I'm at the point where I have to make it accessible to the internet. At the moment, access can be insecure but as it's on my LAN it isn't an issue.
However, for internet access I wish to force SSL/TLS. Having read the documents I think it's as simple as changing 10-ssl.conf from
ssl = yes
to
ssl = required remote 10.0.0.0/8 { ssl = yes }
Am I right in thinking that this would make the global value now force SSL/TLS to be required, but for my LAN (10.0.0.0/8) override this with the old value of 'yes'
Is there a better way to do this? Have I missed anything? I believe that this means implies
disable_plaintext_auth = no
for all except my LAN. Is that right? _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Am 05.05.2016 um 16:18 schrieb Gary Stainburn:
I've tried the changes that I put below. Users are still able to log in from the LAN.
However, despite putting the appropriate rule in my firewall allowing port 143 I cannot create a user on a PC outside my network.
I'm using Thunderbird to do the testing. Is there a better way to test my setup? Thunderbird doesn't give any diagnostic data, it just says it's failed to test the account.
Connect with:
openssl s_client -connect <your server IP address>:143 -starttls imap
Then issue IMAP commands:
01 CAPABILITY 02 LOGIN user password 03 LOGOUT
That should be successful and you should have seen the configured AUTH mechanisms. Now try without transport layer security:
telnet <your server IP address> 143
01 LOGIN user password
That should be forbidden because of LOGINDISABLED.
Regards
Alexander
On Thursday 05 May 2016 15:34:48 Alexander Dalloz wrote:
Connect with:
openssl s_client -connect <your server IP address>:143 -starttls imap
Then issue IMAP commands:
01 CAPABILITY 02 LOGIN user password 03 LOGOUT
That should be successful and you should have seen the configured AUTH mechanisms. Now try without transport layer security:
telnet <your server IP address> 143
01 LOGIN user password
That should be forbidden because of LOGINDISABLED.
Regards
Alexander
Thanks for this Alexander.
I tried this from inside my LAN and both the openssl and the telnet sessions worked. I then tried it from outside my LAN and the openssl session worked while the telnet session failed.
Exactly what I wanted. That does beg the question as to why Thunderbird failed.
-
Alexander Dalloz -
Gary Stainburn