Question regarding SASL auth only over TLS in SMTP server

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Question regarding SASL auth only over TLS in SMTP server

J Doe
Hi,

I have a question about enabling SASL authentication in the Postfix SMTP server *ONLY* over TLS.

In the documentation [1] under the “Encrypted SMTP session (TLS)” heading, it lists recommended configurations for SASL auth that restrict the SASL mechanisms to noanonymous and noplaintext:

    A more sophisticated policy . . . but only over a TLS-encrypted connection:

    /etc/postfix/main.cf
        smtpd_sasl_security_options = noanonymous, noplaintext
        smtpd_sasl_tls_security_options = noanonymous

It then lists the following:

    To offer SASL authentication only after a TLS-encrypted session . . .

    /etc/postfix/main.cf
        smtpd_tls_auth_only = yes

Does this mean that the smtpd_tls_auth_only parameter supersedes the mechanism configuration options, or do I need the following if I want to have noanonymous and noplaintext mechanism only over TLS:

    /etc/postfix/main.cf
        smtpd_sasl_security_options = noanonymous, noplaintext
        smtpd_sasl_tls_security_options = noanonymous
        smtpd_tls_auth_only = yes

Thanks,

- J

Notes:

[1] Closest section is: http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options
Reply | Threaded
Open this post in threaded view
|

Re: Question regarding SASL auth only over TLS in SMTP server

Noel Jones-2
On 1/19/2018 3:21 PM, J Doe wrote:

>
>     /etc/postfix/main.cf
>         smtpd_sasl_security_options = noanonymous, noplaintext
>         smtpd_sasl_tls_security_options = noanonymous
>         smtpd_tls_auth_only = yes

Typically one would put all three lines above in main.cf.

Although the non-tls smtpd_sasl_security_options won't really be
used as long as smtpd_tls_auth_only=yes, it's not unreasonable to
include it as a safety.



  -- Noel Jones