* Drew Tomlinson <[EMAIL PROTECTED]>: > Thank you both so much for your help. This was the problem - well, part > of it anyway. After setting the above, I could see that authentication > was failing. I could also see that Postfix was choosing CRAM-MD5. I > knew from prior testing that method failed interactively as well. Thus > I set "smtp_sasl_mechanism_filter = !CRAM-MD5". Then I started getting > errors about "...no available mech...". Next I found > smtp_sasl_security_options included "noplaintext" and "noanonymous" by > default. Thus I set it to "noanonymous" to allow plaintext. I still > got the "...no available mech..." message. Well I knew from prior > testing that PLAIN did work, thus I set "smtp_sasl_mechanism_filter = > PLAIN". SUCCESS!!! > > But for my own curiosity, why did not Postfix find PLAIN on its own? > Why did I have to set it specifically? I would have thought that > setting !CRAM-MD5 would have been enough.
Choosing the mechanism is not done by Postfix, but by the Cyrus SASL library libsasl, linked into the Postfix smtp client. The rationale is "go for the most secure mechanism". PLAIN is, left on its own, far less secure than CRAM-MD5; plain is secure only used in conjunction with a TLS shielded connection. And then there are the default settings of Postfix' smtp_sasl_security_options and they forbid usage of insecure plaintext mechanisms unless you override the default. So in a sum, if a server offers SMTP AUTH, the following happens: 1. Server offers AUTH 2. Postfix smtp client ignores it because of smtp_sasl_security_options default 3. You change smtp_sasl_security_options to allow plaintext 4. Server offers AUTH 5. Postfix hands it down as option to libsasl 6. libsasl prefers CRAM-MD5 over PLAIN 7. you set smtp_sasl_mechanism_filter = !CRAM-MD5 to have Postfix filter CRAM-MD5 away and not have libsasl see this option 8. libsasl see's only PLAIN 9. PLAIN is choosen and authentication takes place HTH, [EMAIL PROTECTED] -- The Book of Postfix <http://www.postfix-book.com> saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
