On 23 Nov 2015, at 1:58, Mufit Eribol wrote:
Viktor, thank you for your check.I am relieved.
I realized that the related switch is
smtpd_tls_auth_only = yes
If it is changed to "no", then "AUTH PLAIN LOGIN" is also advertised.
You should understand what that does, since it is potentially very
dangerous. If anyone actually *USES* a plaintext authentication
mechanism (PLAIN or LOGIN) without the protection of TLS encryption,
their authentication credentials are vulnerable to simple network
sniffing attacks anywhere in the path between the server and the client.
A high-quality SMTP client won't ever attempt plaintext authentication
outside of TLS, but there are a lot of people using shoddy clients that
might do so, IF the capability is advertised. Put more simply:
NOT advertising "AUTH PLAIN LOGIN" on unencrypted SMTP sessions is a
security feature of Postfix (and some other MTAs) and is NOT indicative
of a problem of any sort.
