Re: nossl authentication

[Jim Nasby <decibel(at)decibel(dot)org>]

On Nov 19, 2006, at 10:25 AM, Tom Allison wrote:
> postfix doesn't appear to "do" SSL connections and I turned on ssl.
> I'm trying to connect to the database dbmail to read a view that I  
> created using the dbmail_ tables.  I've verified that the username  
> and password have SELECT rights to this view using psql.
>
> This is to support the statement in postfix of:
> local_recipient_maps = pgsql:/etc/postfix/pgsql-recipients.cf
>
> where pgsql-recipients.cf contains:
> user     =  postfix
> password =  XXXXXXXXX
> hosts    =  127.0.0.1
> dbname   =  dbmail
>
> query = SELECT username FROM postfix_users WHERE username = '%s'
>
>
> Everytime postfix tries to authenticate against postgresql, it  
> fails because it can't do a SSL and doesn't bother to try a non-ssl  
> connection.  At least that's what I'm led to believe.
>
> I've tried settting pg_hba to:
>
> local   all         postgres                          ident sameuser
> local   all         all                               md5
> host    dbmail      all         127.0.0.1/32          md5
> hostssl all         all         192.168.1.0/24        md5
> hostssl all         all         192.168.0.0/24        md5
> host    all         all         ::1/128               md5
>
> I keep getting the same error:
>
>
> POSTFIX
> Nov 19 10:57:11 cling postfix/smtpd[5364]: warning: connect to  
> pgsql server 127.0.0.1: SSL SYSCALL error: Success?
>
> POSTGRESQL
> 2006-11-19 10:57:11 EST 5517 [unknown] LOG:  connection received:  
> host=127.0.0.1 port=32990
> 2006-11-19 10:57:11 EST 5517 [unknown] LOG:  could not accept SSL  
> connection: EOF detected
>
>
> Every one of these results in a temporary delivery failure of the  
> incoming email.  I believe it's specifically a tempororary lookup  
> failure.
>
> I've tried setting hostnossl connections for the user postfix but  
> they aren't being effective.

Actually, I think that means that postfix *is* trying to connect with  
SSL, but since there's no hostssl line for localhost, it's getting  
denied.

Try adding

hostssl dbmail      all         127.0.0.1/32          md5

to the end of the file.

Better yet would be to try getting postfix not to use SSL, since it's  
just burning cycles for no reason if postfix and PostgreSQL are on  
the same machine. Better yet would be a local socket connection. If  
you make use of pg_service.conf I suspect you can do that, even if  
postfix doesn't have the right support for it.
--
Jim Nasby                                            jim(at)nasby(dot)net
EnterpriseDB      http://enterprisedb.com      512.569.9461 (cell)