On 8/23/2013 9:35 PM, David Hulsebus wrote: > > When I added "noplaintext" as a security option and because MD5 was in the > mech list SASL complained about no auth mechanism when it started. MD5 was > already in the mech list but never failed because auth never reached it in > the past, plain took precedence. > > I removed "noplaintext" and removed everything but plain and login in the > mech list and all works well again. > > Thank you to all who offered your expertise. I have a follow up question. > > Why shouldn't I require TLS to encrypt all sessions for any clients who > authenticates to send mail out. Isn't that what following parameter > accomplishes ? > > smtpd_tls_security_level = encrypt
The setting above is typically used as a -o override option for the submission service on port 587, never for general SMTP on port 25. If you must offer AUTH on port 25, most folks also set # main.cf smtpd_tls_auth_only = yes to require encryption before AUTH is even offered. See: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only Probably better is to only offer AUTH on submission port 587 with required encryption, and not offer AUTH at all on port 25. Although getting all your clients to change their settings can be a challenge... -- Noel Jones
