On 12/03/2016 04:10 PM, Wietse Venema wrote: > rich.gre...@hushmail.com: >> There are ports that exist for encrypted transfer of this data >> (such as 465, 587). What is the current state of the art for >> preventing the user's client software from being able to do this >> (sending their authentication details plaintext)? Is it safe to >> simply block this port external to the machine, for example, in >> the router? > Don't enable SASL auth on port 25. > > Do require smtpd_tls_auth_only=yes on port 587. > > This is easiest implemented by seting smtpd_sasl_auth_enable and > smtpd_tls_auth_only in the master.cf entry for the port 587 service, > and not setting them in main.cf. > > submission inet n - n - - smtpd > -o syslog_name=postfix/submission > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_sasl_auth_only=yes > -o smtpd_reject_unlisted_recipient=no > -o smtpd_client_restrictions=$mua_client_restrictions > -o smtpd_helo_restrictions=$mua_helo_restrictions > -o smtpd_sender_restrictions=$mua_sender_restrictions > -o smtpd_recipient_restrictions= > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > > (similar for the obsolete 'smtps' service on port 465). > > mua_client_restrictions, mua_helo_restrictions, mua_sender_restrictions > can then be specified in main.cf. > > Wietse
Wietse this looks like a typo -o smtpd_sasl_auth_only=yes that should be -o smtpd_tls_auth_only=yes in line with your comment above the config. John
