On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote: > Here I am, replying to my own post again. What I said in the prior post > wasn't entirely true. I realized that I used the wrong password in my prior > attempt. I am still granted access to the SMTP service after authenticating > in plaintext on port 25. > > So I'm somewhat confused how to prevent/discourage users from sending their > authentication detail in the clear when there are secure methods that exist > (such as, $ openssl s_client -starttls smtp -connect example.com:587) > > > $ telnet example.com 25 > Trying 87.138.xxx.yyy... > Connected to example.com. > Escape character is '^]'. > 220 example.com ESMTP Postfix (Ubuntu) > ehlo example.com > 250-example.com > 250-PIPELINING > 250-SIZE 10240000 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-AUTH PLAIN LOGIN > 250-AUTH=PLAIN LOGIN > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > AUTH LOGIN > 334 VXNlcm5hbWU6 > dXNlckBleGFtcGxlLmNvbQ== > 334 UGFzc3dvcmQ6 > eW91IHdvdWxkIGRlY29kZSB0aGlz > 235 2.7.0 Authentication successful > quit > > > Thanks > Sounds as though you have not disabled auth on port 25, so you have still got
smtpd_sasl_auth_only=yes for the smtpd service. You may have configured that in main.cf by changing the default value or in master.cf for the specific smtpd entry. John
