Patrick Ben Koetter wrote:
Choosing the mechanism is not done by Postfix, but by the Cyrus SASL library libsasl, linked into the Postfix smtp client. The rationale is "go for the most secure mechanism". PLAIN is, left on its own, far less secure than CRAM-MD5; plain is secure only used in conjunction with a TLS shielded connection.
Note that CRAM-MD5 (without TLS) is no more considered secure.
And then there are the default settings of Postfix' smtp_sasl_security_options and they forbid usage of insecure plaintext mechanisms unless you override the default. So in a sum, if a server offers SMTP AUTH, the following happens: 1. Server offers AUTH 2. Postfix smtp client ignores it because of smtp_sasl_security_options default 3. You change smtp_sasl_security_options to allow plaintext 4. Server offers AUTH 5. Postfix hands it down as option to libsasl 6. libsasl prefers CRAM-MD5 over PLAIN 7. you set smtp_sasl_mechanism_filter = !CRAM-MD5 to have Postfix filter CRAM-MD5 away and not have libsasl see this option 8. libsasl see's only PLAIN 9. PLAIN is choosen and authentication takes place HTH, [EMAIL PROTECTED]
