I have submission sasl set as Venema suggests, should/would it a good
idea to add "smtp_sasl_auth_enable=no" to the smtp entry in master.cf,
or is the default "good enough".
On 03/12/16 10:10 AM, Wietse Venema wrote:
rich.gre...@hushmail.com:
There are ports that exist for encrypted transfer of this data
(such as 465, 587). What is the current state of the art for
preventing the user's client software from being able to do this
(sending their authentication details plaintext)? Is it safe to
simply block this port external to the machine, for example, in
the router?
Don't enable SASL auth on port 25.
Do require smtpd_tls_auth_only=yes on port 587.
This is easiest implemented by seting smtpd_sasl_auth_enable and
smtpd_tls_auth_only in the master.cf entry for the port 587 service,
and not setting them in main.cf.
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
(similar for the obsolete 'smtps' service on port 465).
mua_client_restrictions, mua_helo_restrictions, mua_sender_restrictions
can then be specified in main.cf.
Wietse
