Re: directly sending from postponed menu

Sat, 11 Jul 2015 03:24:00 -0700 

On 10Jul2015 10:17, Matthias Vallentin <vallen...@icir.org> wrote:

This workflow completely obviates any need to use "postponed" for a message
which is complete.


I like it! No need for a separate outbox with postfix being the outbox
itself. That's the fire-and-forget workflow I'm looking for.


All you really need to make this work in concert with an
ISP's SMTP service is to add a relayhost to /etc/posfix/main.cf. Here's
mine:

 relayhost = [service.l]:1025


I looked a bit around and also found instructions for GMail [1]. What
irks me though is that it requires putting a plain-text password into
/etc/postfix/sasl/sasl_passwd. Ideally I'd use my OSX keychain and put
in the password on demand via 'security find-generic-password'. How do
you handle SMTP server authentication?



I confess my security is weaker than it should be. My Mac postfix delivers via 
an haproxy which chooses one of two home servers, or failing that to an AWS VM.  
(All three via ssh tunnels, so the message travels to the servers encrypted).



Of these servers: one delivers to its ISP SMTP service, with no authentication 
needed; the other delivers to another ISP SMTP service and uses the sasl_passwd 
approach you rightly fear (only because sometimes it must reach that ISP SMTP 
service from "outside" the ISP's client network). And the AWS VM does direct 
SMTP delivery.



Since all three of these have the message delivered via an ssh tunnel to their 
127.0.0.1 listening port, no authentication is needed to get to the server.


So in truth I sidestep the password issue I'm afraid.

I'm glad to learn of this "security" command. Now I need to learn to use it.

Here is postfix's documentation about setting up SASL:

 http://www.postfix.org/SASL_README.html


There doesn't seem to be an obvious way to plug in an arbitrary command to 
provide username:password credentials for use in outbound SMTP authentication.



Does the OSX keychain actually get you better security here? I suppose the 
keychain files themselves are encrypted whereas the sasl_passwd file is 
cleartext, and that gets into backups in the clear etc. But other than that, 
does it matter. You can (I believe) tell the postfix smtp client to require TLS 
so that the credentials are encrypted over the network. Is that enough?


Cheers,
Cameron Simpson <c...@zip.com.au>

The Borg assimilated my race and all I got was this lousy tagline.
       - Cath Lawrence <cath_lawre...@premium.com.au>






















					Reply via email to