Loading ...
Sorry, an error occurred while loading the content.

Re: warning:xsasl_cyrus_server_get_mechanism_list: no applicable SASL mechanisms

Expand Messages
  • jugree@lavabit.com
    ... Thank you. It worked. ... Does it mean that my session will be encrypted using TLS, but there won t be any encryption inside the tunnel? I assume it s
    Message 1 of 13 , Dec 6, 2012
    • 0 Attachment
      > I would strongly suggest removing the "noplaintext" keyword during
      > testing.

      Thank you. It worked.

      > There is no best, there is only what fits your needs. I expect it's
      > common to specify
      > smtpd_sasl_security_options = noanonymous
      > smtpd_sasl_tls_security_options = noanonymous

      > and then after verifying that SASL works, adding
      > smtpd_tls_auth_only = yes

      Does it mean that my session will be encrypted using TLS, but there
      won't be any encryption inside the tunnel?

      I assume it's pretty secure for most cases. Could you confirm?

      Anyway, I'll try to configure a non-plaintext mechanism.
    • Noel Jones
      ... Right, postfix won t offer AUTH unless the session is TLS-encrypted, and all credentials are protected by TLS. Postfix (and the SASL backend) will still
      Message 2 of 13 , Dec 6, 2012
      • 0 Attachment
        On 12/6/2012 9:54 PM, jugree@... wrote:
        >> common to specify
        >> smtpd_sasl_security_options = noanonymous
        >> smtpd_sasl_tls_security_options = noanonymous
        >
        >> and then after verifying that SASL works, adding
        >> smtpd_tls_auth_only = yes
        >
        > Does it mean that my session will be encrypted using TLS, but there
        > won't be any encryption inside the tunnel?


        Right, postfix won't offer AUTH unless the session is TLS-encrypted,
        and all credentials are protected by TLS.

        Postfix (and the SASL backend) will still happily use any supported
        mechanisms inside TLS, but now there's no particular advantage for
        the non-plaintext mechanisms since everything is already encrypted
        with TLS.


        > I assume it's pretty secure for most cases. Could you confirm?

        More secure, because with TLS the mail content is encrypted, not
        just the credentials.


        >
        > Anyway, I'll try to configure a non-plaintext mechanism.
        >

        Many popular desktop clients only support PLAIN and LOGIN (both
        considered plain-text equivalent), but it (most likely) won't hurt
        to offer additional mechanisms.



        -- Noel Jones
      Your message has been successfully submitted and would be delivered to recipients shortly.