On 12/6/2012 9:54 PM, jug...@lavabit.com wrote: >> common to specify >> smtpd_sasl_security_options = noanonymous >> smtpd_sasl_tls_security_options = noanonymous > >> and then after verifying that SASL works, adding >> smtpd_tls_auth_only = yes > > Does it mean that my session will be encrypted using TLS, but there > won't be any encryption inside the tunnel?
Right, postfix won't offer AUTH unless the session is TLS-encrypted, and all credentials are protected by TLS. Postfix (and the SASL backend) will still happily use any supported mechanisms inside TLS, but now there's no particular advantage for the non-plaintext mechanisms since everything is already encrypted with TLS. > I assume it's pretty secure for most cases. Could you confirm? More secure, because with TLS the mail content is encrypted, not just the credentials. > > Anyway, I'll try to configure a non-plaintext mechanism. > Many popular desktop clients only support PLAIN and LOGIN (both considered plain-text equivalent), but it (most likely) won't hurt to offer additional mechanisms. -- Noel Jones
