On 2022-01-13 at 13:09:45 UTC-0500 (Thu, 13 Jan 2022 13:09:45 -0500) Joe Acquisto-j4 <j...@j4computers.com> is rumored to have said:
> While reading the Postfix SASL doc, > (http://www.postfix.org/SASL_README.html#client_sasl), > I puzzled over a few things. > > - "The smtp_tls_security_level setting ensures that the connection to the > remote smtp server will be encrypted, and smtp_sasl_tls_security_options > removes the prohibition on plaintext passwords." > > Is that incorrect? Surely one would not want to send passwords in plaintext > as this seems to state? But only sending plaintext passwords *over an encrypted channel.* SASL has a bunch of mechanisms that provide safe authentication over a non-secure channel. It also has a few which are essentially plaintext, only armoring auth credentials with Base64 encoding. Mechanisms that never send the password unencrypted/unhashed over an unencrypted channel have the weakness that they require both sides to store the password in a recoverable form, whereas plaintext mechanisms allow the server to only store a 1-way hash of the password. Having the whole channel protected from sniffing and not having the password in a recoverable form on the server is a better choice than allowing in-the-clear transport and using a complex mechanism to just protect credential in transit while storing leakable passwords on the server. > - "With the smtp_sasl_password_maps parameter, we configure the Postfix SMTP > client to send username and password information to the mail gateway server. > As discussed in the next section, the Postfix SMTP client supports multiple > ISP accounts. For this reason the username and password are stored in a table > that contains one username/password combination for each mail gateway server." > > Figured I would ask before reading further. Is it not possible to > authenticate to the same remote (receiver) with multiple sets of credentials? Yes. The smtp_sasl_password_maps table can have full sender addresses, target MX hostnames, and next-hop domains as keys. For per-sender auth to work, you must also enable sender-dependent authentication. See the section on "Configuring Sender-Dependent SASL authentication" in the SOHO readme (http://www.postfix.org/SOHO_README.html#client_sasl_sender) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
