[email protected]:
> There are ports that exist for encrypted transfer of this data
> (such as 465, 587). What is the current state of the art for
> preventing the user's client software from being able to do this
> (sending their authentication details plaintext)? Is it safe to
> simply block this port external to the machine, for example, in
> the router?
Don't enable SASL auth on port 25.
Do require smtpd_tls_auth_only=yes on port 587.
This is easiest implemented by seting smtpd_sasl_auth_enable and
smtpd_tls_auth_only in the master.cf entry for the port 587 service,
and not setting them in main.cf.
submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_sasl_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=$mua_client_restrictions
-o smtpd_helo_restrictions=$mua_helo_restrictions
-o smtpd_sender_restrictions=$mua_sender_restrictions
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
(similar for the obsolete 'smtps' service on port 465).
mua_client_restrictions, mua_helo_restrictions, mua_sender_restrictions
can then be specified in main.cf.
Wietse
