I’ve just spent a few hours brain-haemorrhaging over why my new Postfix server wasn’t allowing me to enter “RCPT TO:” over a STARTTLS connection. Instead it would renegotiate the TLS.
Eventually I found an e-mail by Wietse Venema saying:
Victor Duchovni: > On Mon, Jan 22, 2007 at 04:31:12PM -0500, Wietse Venema wrote: > > RCPT TO:<postmaster> > > RENEGOTIATING > > You got bit by the "s_client" "R" feature... try "rcpt to:" lower case, > then it hangs up. What utter brain damage, a non-transparent SSL client program.
Read this and be warned — we are all stupid, in the eyes of the truly mad
I finally found a good blog post on the subject of getting Postfix to do SMTP-AUTH via SASL.
I went one step further, and instead of moving
/var/run/saslauthd/ to the Postfix chroot, I did a bind mount:
Postfix was announcing methods like CRAM-MD5 which can’t be supported by the PAM backend, so I restricted them down to PLAIN and LOGIN (over TLS only, obviously):
Now, it’s working nicely, and I can IMAPS and SMTP-AUTH-TLS to my mail server from anywhere.