On Thu, May 12, 2011 at 05:14:01PM +0300, gaby wrote:
> I want to set postfix to use TLS (certificates) only my sasl
> clients send email.
TLS is not "certificates". TLS is transport encryption, with optional
certificate-based authentication of the server (and optionally also the
client).
If you are authenticating users via SASL, it is generally best to
use TLS to protect the channel, and to use server certificates to
protect the client from MITM attacks.
TLS is by default optional. You can restrict SASL authentication
to just the TLS protected sessions:
smtpd_tls_auth_only = yes
> I want to not use TLS,only for SASL clients, only when they send email.
> I use sasl authenticated for my users with plain text.
>
> /etc/postfix/main.cf:
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
>
> I use PAM/etc/sasl2/smtpd.conf:
> pwcheck_method: saslauthd
> mech_list: PLAIN LOGIN
Just configure TLS and enable SASL AUTH for TLS only, as above.
http://www.postfix.org/TLS_README.html
you'll need a certificate from a CA the client MUAs trust (built-in,
or added manually if there is a small number of such clients, in which
case a private CA may scale).
--
Viktor.
