I’ve just spent a few hours brain-haemorrhaging over why my new Postfix server wasn’t allowing me to enter “RCPT TO:” over a STARTTLS connection. Instead it would renegotiate the TLS.

Eventually I found an e-mail by Wietse Venema saying:

Victor Duchovni:
> On Mon, Jan 22, 2007 at 04:31:12PM -0500, Wietse Venema wrote: 
> > RCPT TO:<postmaster>
> > RENEGOTIATING
>
> You got bit by the "s_client" "R" feature... try "rcpt to:" lower case,
> then it hangs up.

What utter brain damage, a non-transparent SSL client program.

Read this and be warned — we are all stupid, in the eyes of the truly mad s_client

I finally found a good blog post on the subject of getting Postfix to do SMTP-AUTH via SASL.

I went one step further, and instead of moving /var/run/saslauthd/ to the Postfix chroot, I did a bind mount:

/etc/fstab:

Postfix was announcing methods like CRAM-MD5 which can’t be supported by the PAM backend, so I restricted them down to PLAIN and LOGIN (over TLS only, obviously):

/etc/postfix/sasl/smtpd.conf:

Now, it’s working nicely, and I can IMAPS and SMTP-AUTH-TLS to my mail server from anywhere.