s_client's R "feature"

I’ve just spent a few hours brain-haemorrhaging over why my new Postfix server wasn’t allowing me to enter “RCPT TO:” over a STARTTLS connection. Instead it would renegotiate the TLS.

Eventually I found an e-mail by Wietse Venema saying:

Victor Duchovni:
> On Mon, Jan 22, 2007 at 04:31:12PM -0500, Wietse Venema wrote: 
> > RCPT TO:<postmaster>
> You got bit by the "s_client" "R" feature... try "rcpt to:" lower case,
> then it hangs up.

What utter brain damage, a non-transparent SSL client program.

Read this and be warned — we are all stupid, in the eyes of the truly mad s_client

Postfix + SMTP-AUTH

I finally found a good blog post on the subject of getting Postfix to do SMTP-AUTH via SASL.

I went one step further, and instead of moving /var/run/saslauthd/ to the Postfix chroot, I did a bind mount:


/var/run/saslauthd /var/spool/postfix/var/run/saslauthd none bind 0     0

Postfix was announcing methods like CRAM-MD5 which can’t be supported by the PAM backend, so I restricted them down to PLAIN and LOGIN (over TLS only, obviously):


pwcheck_method: saslauthd
mech_list: plain login

Now, it’s working nicely, and I can IMAPS and SMTP-AUTH-TLS to my mail server from anywhere.

Syndicate content