Viktor Dukhovni wrote in
<20200825182533.gw37...@straasha.imrryr.org>:
|On Tue, Aug 25, 2020 at 07:06:29PM +0200, Steffen Nurpmeso wrote:
|
|>|because:
|>|
|>| 1. The server indicated support for SASL in its EHLO response.
|>| 2. The client chose to perform SASL auth.
|>|
|>|If you want clients to skip SASL auth, configure them to not use
|>|SASL auth (no passwords, no EXTERNAL, just a client cert).
|>
|> That does not work. Oh. Yes, it does!
|
|Naturally...
Heh.
|>|The protocol flow is:
|> ...
|>| 250 AUTH PLAIN GSSAPI ...
|>| C: !!! chooses to perform or skip SASL !!!
|>| --- possible SASL handshake here ---
|>
|> Yes, but, you know, _if_ the server announces AUTH then of course
|> any automatic software will choose AUTH! Because, why would the
|> server announce AUTH if it would not need it?
|
|Because it is advertising a *capability* not a mandate. Lots of
|servers advertise AUTH even when only some clients need to or
|choose to use AUTH. Of course you can always set up a dedicated
|MSA on some IP:port combination which only accepts client certs,
|and is configured to NOT offer AUTH. That's your choice.
Usually you be given a username and a password, and a server name
and a port. That you enter into the MUA, and the rest you do not
know. (Unless you use a real primitive MUA, where you have to be
explicit.)
And for the basic MUA i maintain one could read already in the
year 2004 (!)
smtp-auth
Sets the SMTP authentication method. If set to `login', or if
unset and both smtp-auth-user and smtp-auth-password are set,
AUTH LOGIN is used. If set to `cram-md5', AUTH CRAM-MD5 is
used. Otherwise, no SMTP authentication is performed.
smtp-auth-password
Sets the global password for SMTP AUTH. Both user and password
have to be given for AUTH LOGIN and AUTH CRAM-MD5.
smtp-auth-user
Sets the global user name for SMTP AUTH. Both user and password
have to be given for AUTH LOGIN and AUTH CRAM-MD5.
(plus omitted specializations). And in 2007 it had changed to
smtp-auth
Sets the SMTP authentication method. If set to `login', or if
unset and smtp-auth-user is set, AUTH LOGIN is used. If set to
`cram-md5', AUTH CRAM-MD5 is used; if set to `plain', AUTH PLAIN
is used. Otherwise, no SMTP authentication is performed.
I personally have _never_ send a mail via a smarthost without
having authenticated myself.
|And for a client to initiate SASL AUTH it has to be configured with
|suitable credentials, and told to use them with the server in question.
Yes. At least the former, the latter is then always automatic as
of my experience.
|Clients don't (implementation incompetence aside) just automatically
|send their passwords to some random server that happens to include
|"AUTH" in its EHLO response.
I am only talking MUA here. So please replace the "client" as
above with the word "mail user agent", or also simple MTAs like
DMA or msmtp. You define a smarthost to contact, and if so (at
least DMA can also send mail directly to a receiver instead),
a login is performed.
|> This does not make sense!
|
|It makes sense to me. You intuition is misleading you in various
|non-productive directions. Try to set some preconceptions aside
|and take in a new perspective.
This is very tough. But maybe we have a notational problem only,
where my "client" is a MUA, wheras your "client" is any SMTP aware
software which transports a message to a SMTP server.
|>|The relative order of the relay and recipient restrictions is somewhat
|>|in flux at the moment, it changed in Postfix 3.3, but the docs have
|>
|> (Must be that, then.)
|
|No, that's just a pedantic side comment, not relevant to your situation,
|needed only to avoid a small inaccuracy.
So i withdraw politely in silence.
Good Evening,
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
