Viktor Dukhovni via Postfix-users:
> On Mon, Jun 03, 2024 at 08:55:11PM +0800, Jeff P via Postfix-users wrote:
>
> > I have closed sasl auth on port 25. but users still can use port 587
> > for login with plain text. how can I force users to use submission
> > via start-tls only? I know I can open port 465 for ssl connection.
> > but for history reason the port 587 must be open.
>
> Belt and suspenders (the first setting implies the second, and the third
> should then never be used), in master.cf for the submission entry set:
>
> -o { smtpd_tls_security_level = encrypt }
> -o { smtpd_tls_auth_only = yes }
> -o { smtpd_sasl_security_options = noanonymous, noplaintext, nodictionary
> }
> -o { smtpd_sasl_tls_security_options = noanonymous }
I'm updating the Postfix documentation that "smtpd_tls_security_level
= encrypt" will reject all plaintext commands except HELO, EHLO,
XCLIENT, STARTTLS, NOOP, QUIT, and HELP.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
