On Tue, Mar 23, 2010 at 03:17:05PM -0400, Carlos Mennens wrote:
> > > smtpd_tls_security_level = may
> >
> > Use this instead of "smtpd_use_tls".
>
> Noted.
>
> >> smtpd_tls_auth_only = yes # ?
> >
> > Disable SASL authentication for un-encrypted connections.
>
> I am guessing I only have the above since 'smtpd_tls_security_level =
> may' is set and not mandatory, correct? If I configured that 'may' to
> 'encrypt', then there is no reason to 'disable SASL authenticaion for
> un-encrypted connections' as you noted, right?
Sure, if your host is a submission-only host (not an MX host for an
internet-connected domain) and requiring TLS outright is an option,
then indeed you don't need to explicitly restrict SASL to encrypted
connections, because Postfix automatically does that when encryption
is mandatory.
> So would this look correct to you in main.cf:
>
> # SASL settings
> smtpd_sasl_auth_enable = yes
> broken_sasl_auth_clients = yes
> smtpd_sasl_type = dovecot
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
>
> # TLS settings
> smtpd_tls_security_level = encrypt
> smtpd_tls_key_file = /etc/ssl/mail.key
> smtpd_tls_cert_file = /etc/ssl/mail.crt
> smtpd_tls_loglevel = 1
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
> tls_random_source = dev:/dev/urandom
> # smtpd_tls_auth_only = yes
If "encrypt" is a viable TLS policy (because this is not a public MX host),
then yes, this is fine.
> Do I enable the last parameter for SASL authentication if I changed
> 'may' to 'enrypt'? Do you see me missing anything?
There is no harm in the "redundant" setting, if you don't want plaintext
SASL, regardless of the TLS security level, then say so, even if the
security level for now happens to make this a noop.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
