Hi,
I've setup a Postfix server to handle SMTP for a few domains on my
local network. I don't want to rely on clients to "do the right thing"
and trust them to enable encryption and authentication on their own.
So, I'd like to disable all plain text logins that are not encrypted,
and disable anonymous SMTP for obvious security reasons.
Dovecot is handling IMAP. I've successfully configured Dovecot to
require encryption for all requests. I've also setup Postfix as best I
can tell to do what I want. However, it still allows me to send email
without authentication, as well as with authentication but using a
plaintext login. I have fully read the SASL README file, as well as
the relevant parts of the postconf man page.
It is noteworthy that I am using Dovecot to perform the authentication
("smtpd_sasl_type = dovecot"). Dovecot is looking up credentials from
a database. I am unable to find documentation on how much
configuration Postfix inherits from Dovecot when used in this manner.
I am also using "permit_mynetworks" in the
smtpd_recipient_restrictions setting, but mynetworks currently is only
set to localhost, and removing permit_mynetworks does not resolve the
problem.
I am using Postfix 2.5.5-1.1 on Debian Lenny.
Here are the pertinent settings from main.cf:
# TLS
smtpd_tls_cert_file = ...
smtpd_tls_key_file = ...
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_auth_only = yes
# SASL
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
# Restrictions
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_unauth_destination
smtpd_delay_reject = yes
smtpd_client_restricitons = permit_sasl_authenticated, reject
Is this the correct configuration for my desired setup? Could this be
somehow related to the version of Postfix I'm using?
Thanks in advance.
Chris
