Hi list, I have a Postfix setup with Dovecot SASL. Other MTAs drop their mail at my host (without authentication obviously) and I have a couple of clients which drop their relay mail off after authentication. So, a pretty standard setup.
For SASL authentication I have hashed passwords in the backend. This means that Postfix has to accept a plaintext authentication method. Usually this is no problem, since the MTA uses TLS (after STARTTLS). What I would like to do and cannot figure out: How can I *force* authenticated clients to perform a STARTTLS before performing a "AUTH PLAIN"? I tried the following: smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous Which results in Postfix pretty much crashing as soon as someone only connects to it: Jan 30 23:50:49 ira postfix/smtpd[5065]: connect from my.local-dynip.com[1.2.3.4] Jan 30 23:50:49 ira postfix/smtpd[5065]: fatal: no SASL authentication mechanisms Jan 30 23:50:50 ira postfix/master[5045]: warning: process /usr/lib/postfix/smtpd pid 5065 exit status 1 Jan 30 23:50:50 ira postfix/master[5045]: warning: /usr/lib/postfix/smtpd: bad command startup -- throttling i.e. this is the same behvaior as when I disallow Postfix plaintext authentication altogether. I would just like to force misconfigured clients to accidently trainsmit their credentials in plaintext. I'm sure there's a way to do what I want; really appreciate any help of you guys. Thanks in advance, Johannes
