John Fawcett:
> On 12/03/2016 04:10 PM, Wietse Venema wrote:
> > [email protected]:
> >> There are ports that exist for encrypted transfer of this data
> >> (such as 465, 587). What is the current state of the art for
> >> preventing the user's client software from being able to do this
> >> (sending their authentication details plaintext)? Is it safe to
> >> simply block this port external to the machine, for example, in
> >> the router?
> > Don't enable SASL auth on port 25.
> >
> > Do require smtpd_tls_auth_only=yes on port 587.
> >
> > This is easiest implemented by seting smtpd_sasl_auth_enable and
> > smtpd_tls_auth_only in the master.cf entry for the port 587 service,
> > and not setting them in main.cf.
> >
> > submission inet n - n - - smtpd
> > -o syslog_name=postfix/submission
> > -o smtpd_tls_security_level=encrypt
> > -o smtpd_sasl_auth_enable=yes
> > -o smtpd_sasl_auth_only=yes
> > -o smtpd_reject_unlisted_recipient=no
> > -o smtpd_client_restrictions=$mua_client_restrictions
> > -o smtpd_helo_restrictions=$mua_helo_restrictions
> > -o smtpd_sender_restrictions=$mua_sender_restrictions
> > -o smtpd_recipient_restrictions=
> > -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
> > -o milter_macro_daemon_name=ORIGINATING
> >
> > (similar for the obsolete 'smtps' service on port 465).
> >
> > mua_client_restrictions, mua_helo_restrictions, mua_sender_restrictions
> > can then be specified in main.cf.
> >
> > Wietse
>
> Wietse
>
> this looks like a typo
>
> -o smtpd_sasl_auth_only=yes
>
> that should be
>
> -o smtpd_tls_auth_only=yes
>
> in line with your comment above the config.
Yes.
Wietse
