Loading ...
Sorry, an error occurred while loading the content.

294315Re: sasl on smtps: allowing plaintext

Expand Messages
  • /dev/rob0
    Jul 16, 2013
    • 0 Attachment
      On Tue, Jul 16, 2013 at 10:03:57PM +0000, Viktor Dukhovni wrote:
      > On Tue, Jul 16, 2013 at 11:06:47PM +0200, Vincent Pelletier wrote:
      >
      > > Following pointers and advice from pj and adaptr on freenode,
      > > I've setup postfix on my box to send mail through the mail
      > > accounts I have (including the one I'm sending from now). The
      > > problem is, some of my account providers do not support TLS, so
      > > I have to use stunnel. Then, postfix logs
      > > warning: SASL authentication failure: No worthy mechs found
      > > thanks to
      > > smtp_sasl_security_options = noanonymous, noplaintext
      > > and queues the message for retry.
      > >
      > > How can I tell postfix that plaintext auth mechanisms should be
      > > allowed when sending to a specific ip (and maybe port) ?
      > > Of course, I would like to keep plaintext auth disallowed
      > > anywhere else.
      >
      > Separate destinations with incompatible SASL requirements by
      > transport (clone smtp/unix under additional names). Configure
      > each transport's SASL settings via:

      Sure, this works, but why is it a problem? Why not just enforce TLS
      where it is needed?

      http://www.postfix.org/TLS_README.html#client_tls_policy
      http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

      A Postfix which is using a relayhost is not going to connect to
      random Internet sites, and it is definitely not going to attempt to
      AUTH at any site not configured in $smtp_sasl_password_maps.

      > master.cf:
      > mumble unix ... smtp
      > -o smtp_sasl_security_options=$mumble_sasl_security_options
      >
      > main.cf:
      > mumble_sasl_security_options = ...
      >
      > transport:
      > example.com mumble:[mail.example.com]:587
      >
      > And similarly from sender_dependent_default_transport_maps, ...
      --
      http://rob0.nodns4.us/ -- system administration and consulting
      Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
    • Show all 7 messages in this topic