> On 2022-01-13 at 13:09:45 UTC-0500 (Thu, 13 Jan 2022 13:09:45 -0500) > Joe Acquisto-j4 <j...@j4computers.com> > is rumored to have said: > >> While reading the Postfix SASL doc, > (http://www.postfix.org/SASL_README.html#client_sasl), >> I puzzled over a few things. >> >> - "The smtp_tls_security_level setting ensures that the connection to the > remote smtp server will be encrypted, and smtp_sasl_tls_security_options > removes the prohibition on plaintext passwords." >> >> Is that incorrect? Surely one would not want to send passwords in plaintext > as this seems to state? > > But only sending plaintext passwords *over an encrypted channel.* > > SASL has a bunch of mechanisms that provide safe authentication over a > non-secure channel. It also has a few which are essentially plaintext, only > armoring auth credentials with Base64 encoding. Mechanisms that never send > the password unencrypted/unhashed over an unencrypted channel have the > weakness that they require both sides to store the password in a recoverable > form, whereas plaintext mechanisms allow the server to only store a 1-way > hash > of the password. Having the whole channel protected from sniffing and not > having the password in a recoverable form on the server is a better choice > than allowing in-the-clear transport and using a complex mechanism to just > protect credential in transit while storing leakable passwords on the server. > >> - "With the smtp_sasl_password_maps parameter, we configure the Postfix SMTP > client to send username and password information to the mail gateway server. > As discussed in the next section, the Postfix SMTP client supports multiple > ISP accounts. For this reason the username and password are stored in a table > that contains one username/password combination for each mail gateway > server." >> >> Figured I would ask before reading further. Is it not possible to > authenticate to the same remote (receiver) with multiple sets of credentials? > > Yes. The smtp_sasl_password_maps table can have full sender addresses, > target MX hostnames, and next-hop domains as keys. For per-sender auth to > work, > you must also enable sender-dependent authentication. See the section on > "Configuring Sender-Dependent SASL authentication" in the SOHO readme > (http://www.postfix.org/SOHO_README.html#client_sasl_sender) > > > > -- > Bill Cole > b...@scconsult.com or billc...@apache.org > (AKA @grumpybozo and many *@billmail.scconsult.com addresses) > Not Currently Available For Hire
Thanks. I am having some problems getting the SASL thing working. Not looking for any "fix" advice, but would like to establish something in my mind. Would it be valid to presume that an SMTP server that can be connected to, securely, via Outlook, Thunderbird and the other common clients, can be connected to via the postfix SASL stuff? Or is SASL/Cyrus an equine of a different hue? joe a.
