Hi,
I have a question about enabling SASL authentication in the Postfix SMTP server
*ONLY* over TLS.
In the documentation [1] under the “Encrypted SMTP session (TLS)” heading, it
lists recommended configurations for SASL auth that restrict the SASL
mechanisms to noanonymous and noplaintext:
A more sophisticated policy . . . but only over a TLS-encrypted connection:
/etc/postfix/main.cf
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
It then lists the following:
To offer SASL authentication only after a TLS-encrypted session . . .
/etc/postfix/main.cf
smtpd_tls_auth_only = yes
Does this mean that the smtpd_tls_auth_only parameter supersedes the mechanism
configuration options, or do I need the following if I want to have noanonymous
and noplaintext mechanism only over TLS:
/etc/postfix/main.cf
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_tls_auth_only = yes
Thanks,
- J
Notes:
[1] Closest section is:
http://www.postfix.org/SASL_README.html#smtpd_sasl_security_options
