On 15:43 Wed 28 Jan , Wietse Venema wrote: > That is, if the SASL client was activated then we update it, > and otherwise we don't bother (don't wake up sleeping dogs).
Okay. I'll use the way you have it, do you want me to resubmit that? > The choice of SASL security options is unclear. If TLS is turned > on, then it was turned on by the XCLIENT proxy. We don't know if > it is safe for the remote SMTP client to send its passwords in > plaintext. I understand the concern here. In our case, the proxy will always initiate the connection to the postfix machines with the same security used in the original connection. Inbound plaintext connections will proxy as plaintext, TLS as TLS, and thus this is not an issue for us. XCLIENT doesn't appear to have a way to say if the client connection is secured or not. If that existed, I suppose it could use that instead, but otherwise I can't see that there is a solution here. With no alternative, it makes sense to me to trust the sysadmins setting up the proxy architecture. Do you have any other ideas? Thanks, Matthew
pgpY48ShFl_L4.pgp
Description: PGP signature
