* Victor Duchovni <postfix-users@postfix.org>: > On Tue, Dec 28, 2010 at 09:23:14PM -0500, Wietse Venema wrote: > > > I have built an event-driven TLS proxy for postscreen(8). This > > addresses the problem that postscreen(8) could not be used when > > SMTP clients require STARTTLS support. > > > > [...] > > > > Next on the agenda is AUTH support, and that is a lot simpler. > > Will there be a snapshot with just the TLS proxy, or just a final > snapshot when AUTH support is also done? > > Server-side AUTH support for multiple sessions likely cannot be > implemented in a non-blocking fashion without some sort of concurrency, > the SASL library may consult LDAP, or a variety of similar---potentially > high-latency---data sources. > > So, unlike the TLS proxy, the AUTH proxy (as e.g. the Cyrus saslauthd > service) may need to be a forking multi-process service. > > Is AUTH support in postscreen really necessary? It seems to me that AUTH > is submission, that should be on 587, not 25, where one does not want > postscreen at all. > > Perhaps we can encourage better hygiene, by not offering AUTH in > postscreen. People who want AUTH and postscreen, can migrate their AUTH > users to port 587? Or is this still too much to ask of potential Postfix > users?
I guess it is. The problem is you need to persuade admins that they trade a short period of pain - aka switch AUTH from 25 to 587 - in for less pain in the long run (more selective policies, less spam). The problem is not the admins, but the users who will be forced to reconfigure their mail clients AND the marketing and sales folks, because they fear they will loose customers. I've run into that situation a few times this year. This said: Switching AUTH from 25 to 587 is a large company problem, not a small ones. Small ones have admins running around, reconfiguring mail clients. My 2ct. p...@rick -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
