Loading ...
Sorry, an error occurred while loading the content.
 

Re: sasl on smtps: allowing plaintext

Expand Messages
  • Vincent Pelletier
    On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni ... Thanks, I think I understand now: main.cf (or a few -o in master.cf s submission service):
    Message 1 of 7 , Jul 17, 2013
      On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
      <postfix-users@...> wrote:
      > The suggestion is I believe to use smtp_tls_policy_maps to ensure
      > that TLS is used for destinations where you will be using plaintext
      > authentication.

      Thanks, I think I understand now:
      main.cf (or a few -o in master.cf's submission service):
      smtp_sasl_security_options = noanonymous
      smtp_tls_security_level = must
      smtp_tls_policy_maps = hash:blah

      blah:
      [127.0.0.1] none

      This is indeed closer to the mental picture I had of the solution
      (host-based lookup), but I didn't notice the need for a laxist
      smtp_sasl_security_options value.

      I've the idea to someday move my postfix setup to a server also sending
      & receiving mails for its own domain. Is it a bad idea (error-prone)
      to mix both of those use cases on a single postfix, generally speaking ?

      If I understand correctly, a setup with both roles would need your
      initial suggestion (which I setup successfully before noticing the
      second reply).

      Regards,
      --
      Vincent Pelletier
    • Viktor Dukhovni
      ... must is not a valid value for smtp_tls_security_level , see the documentation for details. ... Either a secure default and insecure exceptions, or the
      Message 2 of 7 , Jul 17, 2013
        On Wed, Jul 17, 2013 at 08:10:44PM +0200, Vincent Pelletier wrote:

        > On Wed, 17 Jul 2013 13:37:53 +0000, Viktor Dukhovni
        > <postfix-users@...> wrote:
        > > The suggestion is I believe to use smtp_tls_policy_maps to ensure
        > > that TLS is used for destinations where you will be using plaintext
        > > authentication.
        >
        > Thanks, I think I understand now:
        > main.cf (or a few -o in master.cf's submission service):
        > smtp_sasl_security_options = noanonymous
        > smtp_tls_security_level = must

        "must" is not a valid value for "smtp_tls_security_level", see the
        documentation for details.

        > smtp_tls_policy_maps = hash:blah
        >
        > blah:
        > [127.0.0.1] none

        Either a secure default and insecure exceptions, or the converse.

        --
        Viktor.
      Your message has been successfully submitted and would be delivered to recipients shortly.