Patrick Ben Koetter:
> A reasonable setting is:
>
> smtpd_sasl_security_options = noanonymous
>
> This allows any available mechanism except for anonymous, as it is highly
> exploitable in the context of SMTP. (It's usable in the context of FTP or IMAP
> shared folder access).
>
> Another reasonable setting is:
>
> smtpd_sasl_security_options = noanonymous, noplaintext
>
> If you can't use TLS to shield SMTP AUTH conducted using plaintext mechanisms
> then you should not offer them.
>
> A good compromise is to forbid plaintext over unencrypted, but permit it over
> crypted communication (TLS):
>
> smtpd_sasl_security_options = noanonymous, noplaintext
> smtpd_tls_sasl_security_options = noanonymous
>
> As soon as a client has started a TLS session the SMTP session is restarted.
> The server then offers plaintext mechanisms and the client may have use them
> securely.
Unfortunately, this should be: smtpd_sasl_tls_security_options
Wietse
