* punit jain <[EMAIL PROTECTED]>: > Hi Patrick, > > I was going through link > http://postfix.state-of-mind.de/patrick.koetter/smtpauth/smtp_auth_mailclients.html > > " It appears that clients try authentication methods in the order as > advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) which means that > if you disable plaintext passwords, clients will log in anonymously, even > when they should be able to use CRAM-MD5. So, if you disable PLAIN logins, > disable ANONYMOUS logins too. Postfix treats ANONYMOUS login as no > authentication "
WOW! Need to fix that. Definitely wrong. It does not appear that way to me anymore ... > I was a bit confused here in the sense it mentions if plaintext is disabled > client will login anonymously. > What role does smtpd_sasl_security_options = noanonymous play here ? smtpd_sasl_security_options sets a mechanism policy. The mechanisms announced by the Postfix smdpd server are restricted to the policy defined with $smtpd_sasl_security_options. Usage: It either forbids mechanisms that match a certain criteria such as "they all send the password in plaintext", which results in the option "noplaintext" or it sets a requirement, such as "mutual_auth" meaning client must authenticate to server AND server must authenticate to client which would result in using GSSAPI aka Kerberos. A reasonable setting is: smtpd_sasl_security_options = noanonymous This allows any available mechanism except for anonymous, as it is highly exploitable in the context of SMTP. (It's usable in the context of FTP or IMAP shared folder access). Another reasonable setting is: smtpd_sasl_security_options = noanonymous, noplaintext If you can't use TLS to shield SMTP AUTH conducted using plaintext mechanisms then you should not offer them. A good compromise is to forbid plaintext over unencrypted, but permit it over crypted communication (TLS): smtpd_sasl_security_options = noanonymous, noplaintext smtpd_tls_sasl_security_options = noanonymous As soon as a client has started a TLS session the SMTP session is restarted. The server then offers plaintext mechanisms and the client may have use them securely. [EMAIL PROTECTED] -- The Book of Postfix <http://www.postfix-book.com> saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
