On Sun, Jan 24, 2021 at 12:42:49PM +0100, Jeff Abrahamson wrote:
> 1. Users need to provide user + password to send (smtps) and receive
> (imaps). I see where I've configured this for dovecot, which is
> /etc/dovecot/passwd.db. That file contains lines like this:
>
> j...@mobilitains.fr:{BLF-CRYPT}$2y$05$c...
With this, dovecot can act as an oracle for the SASL PLAIN mechanism.
> I do not see how postfix knows who is allowed to connect, however. Does
> postfix delegate SASL to dovecot? This is the relevant config, I think:
Yes, when you use dovecot as a SASL backend.
> broken_sasl_auth_clients = yes
This should no longer be necessary.
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_local_domain =
> smtpd_sasl_path = private/auth
> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
The above looks fine. Just in case, make sure that plaintext mechanisms
are allowed over TLS:
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
(though the second is the expected default).
> 2. Any suggestions on how to test this (and continue testing it)?
> First, about today, as in, are there good commandline tools to poke at a
> postfix instance?
You can test it with "swaks". I've not added SASL client support to
posttls-finger, so while it's pretty good for testing TLS, it is not
suitable for debugging SASL.
--
Viktor.
