Thanks . This clears my doubt. :-) On Sat, Aug 16, 2008 at 6:50 PM, Patrick Ben Koetter <[EMAIL PROTECTED]>wrote:
> * Wietse Venema <[EMAIL PROTECTED]>: > > Patrick Ben Koetter: > > > A reasonable setting is: > > > > > > smtpd_sasl_security_options = noanonymous > > > > > > This allows any available mechanism except for anonymous, as it is > highly > > > exploitable in the context of SMTP. (It's usable in the context of FTP > or IMAP > > > shared folder access). > > > > > > Another reasonable setting is: > > > > > > smtpd_sasl_security_options = noanonymous, noplaintext > > > > > > If you can't use TLS to shield SMTP AUTH conducted using plaintext > mechanisms > > > then you should not offer them. > > > > > > A good compromise is to forbid plaintext over unencrypted, but permit > it over > > > crypted communication (TLS): > > > > > > smtpd_sasl_security_options = noanonymous, noplaintext > > > smtpd_tls_sasl_security_options = noanonymous > > > > > > As soon as a client has started a TLS session the SMTP session is > restarted. > > > The server then offers plaintext mechanisms and the client may have use > them > > > securely. > > > > Unfortunately, this should be: smtpd_sasl_tls_security_options > > Yes, indeed. Thanks for crosschecking. > > [EMAIL PROTECTED] > > -- > The Book of Postfix > <http://www.postfix-book.com> > saslfinger (debugging SMTP AUTH): > <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/> >
