On 12/3/2016 at 10:45 AM, "John Fawcett" <j...@voipsupport.it> wrote: > >On 12/03/2016 05:25 PM, rich.gre...@hushmail.com wrote: >> Here I am, replying to my own post again. What I said in the >prior post wasn't entirely true. I realized that I used the wrong >password in my prior attempt. I am still granted access to the >SMTP service after authenticating in plaintext on port 25. >> >> So I'm somewhat confused how to prevent/discourage users from >sending their authentication detail in the clear when there are >secure methods that exist (such as, $ openssl s_client -starttls >smtp -connect example.com:587) >> >> >> $ telnet example.com 25 >> Trying 87.138.xxx.yyy... >> Connected to example.com. >> Escape character is '^]'. >> 220 example.com ESMTP Postfix (Ubuntu) >> ehlo example.com >> 250-example.com >> 250-PIPELINING >> 250-SIZE 10240000 >> 250-VRFY >> 250-ETRN >> 250-STARTTLS >> 250-AUTH PLAIN LOGIN >> 250-AUTH=PLAIN LOGIN >> 250-ENHANCEDSTATUSCODES >> 250-8BITMIME >> 250 DSN >> AUTH LOGIN >> 334 VXNlcm5hbWU6 >> dXNlckBleGFtcGxlLmNvbQ== >> 334 UGFzc3dvcmQ6 >> eW91IHdvdWxkIGRlY29kZSB0aGlz >> 235 2.7.0 Authentication successful >> quit >> >> >> Thanks >> >Sounds as though you have not disabled auth on port 25, so you have >still got > >smtpd_sasl_auth_only=yes >
You mean, 'smtpd_tls_auth_only=yes' ? >for the smtpd service. You may have configured that in main.cf by >changing the default value or in master.cf for the specific smtpd >entry. > In the main.cf, I have set globally smtpd_tls_auth_only = yes and in the master.cf, just to make sure, I have: submission inet n - n - - smtpd -o smtpd_tls_auth_only=yes So yes, after changing no -> yes in the main.cf, I get the permissions that I want. >John
