Loading ...
Sorry, an error occurred while loading the content.

294324Re: sasl on smtps: allowing plaintext

Expand Messages
  • Viktor Dukhovni
    Jul 17, 2013
      On Wed, Jul 17, 2013 at 08:19:56AM +0200, Vincent Pelletier wrote:

      > Maybe I'm being paranoid, but because not all my relays support TLS I
      > cannot be stricter than
      > smtp_tls_security_level = may
      > without also having separate transports (if I understand correctly).
      > So if I do not set noplaintext and someday one of the
      > usually-TLS-enabled relays doesn't offer TLS (config hickup...),
      > postfix will AUTH.

      The suggestion is I believe to use smtp_tls_policy_maps to ensure
      that TLS is used for destinations where you will be using plaintext
      authentication.

      # MITM resistant authenticated TLS
      [smtp.example.com]:587 secure match=smtp.example.com

      # MITM vulnerable unauthenticated TLS
      [smtp.example.com]:587 encrypt

      # Some day when provider adopts DNSSEC and publishes a suitable TLSA
      # RRset and you've deployed Postfix 2.11
      #
      [smtp.example.com]:587 dane-only

      --
      Viktor.
    • Show all 7 messages in this topic