On Tue, Jul 16, 2013 at 10:03:57PM +0000, Viktor Dukhovni wrote: > On Tue, Jul 16, 2013 at 11:06:47PM +0200, Vincent Pelletier wrote: > > > Following pointers and advice from pj and adaptr on freenode, > > I've setup postfix on my box to send mail through the mail > > accounts I have (including the one I'm sending from now). The > > problem is, some of my account providers do not support TLS, so > > I have to use stunnel. Then, postfix logs > > warning: SASL authentication failure: No worthy mechs found > > thanks to > > smtp_sasl_security_options = noanonymous, noplaintext > > and queues the message for retry. > > > > How can I tell postfix that plaintext auth mechanisms should be > > allowed when sending to a specific ip (and maybe port) ? > > Of course, I would like to keep plaintext auth disallowed > > anywhere else. > > Separate destinations with incompatible SASL requirements by > transport (clone smtp/unix under additional names). Configure > each transport's SASL settings via:
Sure, this works, but why is it a problem? Why not just enforce TLS where it is needed? http://www.postfix.org/TLS_README.html#client_tls_policy http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps A Postfix which is using a relayhost is not going to connect to random Internet sites, and it is definitely not going to attempt to AUTH at any site not configured in $smtp_sasl_password_maps. > master.cf: > mumble unix ... smtp > -o smtp_sasl_security_options=$mumble_sasl_security_options > > main.cf: > mumble_sasl_security_options = ... > > transport: > example.com mumble:[mail.example.com]:587 > > And similarly from sender_dependent_default_transport_maps, ... -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
