* Heiko Wundram <modeln...@modelnine.org>: > Am 06.09.2011 11:24, schrieb Patrick Ben Koetter: > >* Heiko Wundram<modeln...@modelnine.org>: > >>As the title says: is there a possibility to set different > >>smtpd_sasl_security_options depending on the connecting IP (or > >>rather subnet) of the client that tries to do authentication? > > > >No, you can't. Which problem are you trying to solve? Maybe there's another > >way to do it. > > Thought so; the problem I'm trying to solve is getting software > which is connected via LAN to a mail relay to be able to use the > relay. :-) > > The software (which is a Java-based backup solution) is neither able > to use TLS/SSL when using the smarthost to send out its > notifications, nor is it able to do any non-plaintext authentication > (i.e., only LOGIN), and as such I need to set up > smtpd_sasl_security_options = noanonymous to allow the software to > function. Security-wise, this is somewhat "okay": the server hosting > the backup software is connected via MAC/IP-firewalled switches to > the mail relays, and as such I'm not too concerned having people > eavesdrop on the traffic that's exchanged between the two systems, > so that allowing plaintext auth for this specific case even without > TLS should be okay. > > I'm not too happy with that, though, in the general case: the > smarthost is also used by external systems to relay, and these > should always use either non-TLS with non-plaintext authentication > (CRAM-MD5 in the specific case), or use TLS. Enforcing this policy > for external users of the mail system was straightforward with > different configurations of smtpd_(tls_)sasl_security_options, but > now means that I have to rely on the external users to "do the right > thing" because I'm required to allow plaintext auth also for the > non-TLS case. > > Anyway, maybe I'll try to hack together a patch for this if I've got > the time to do so, I just wanted to know whether there's the > possibility to do this out of the box.
You can offer a different SASL policy on a different port on the Postfix server side. Clone the "smtp ... smtpd" service line and configure it to listen on a different port e.g. 2525. Then add "-o smtpd_sasl_security_options=noanonymous" and let the java client connect there. Use a firewall to control access to that port. p@rick > > Thanks! > > -- > --- Heiko. -- All technical questions asked privately will be automatically answered on the list and archived for public access unless privacy is explicitely required and justified. saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
