Am 06.07.23 um 14:51 schrieb Viktor Dukhovni via Postfix-users:
I am surprised to hear that "login" works and "plain" does not, are you
sure about that?
Jep, I just retested. Changed to plain, restarted postfix and mail gets
deferred:
relay=smtp.worldserver.net[217.13.200.36]:587, delay=1,
delays=0.07/0.01/0.95/0, dsn=4.7.0, status=deferred (SASL authentication
failed; cannot authenticate to server smtp.world
changing back to login:
relay=smtp.worldserver.net[217.13.200.36]:587, delay=190,
delays=185/0.02/0.22/4.6, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued
as D302E1E0A44)
smtp_sasl_mechanism_filter = plain, login
and let SASL choose whichever it prefers when both are offered.
Have not tried this, as "login" works, but using both, I am afraid we
might run into the same issue as with cram-md5, since the server offers
all three (plain, login, cram). So, if plain is preferred by postfix, as
cram-md5 used to be, mail would not get through. So why take a risk, if
login works?
The mechanism name is "PLAIN" or "plain" (case insensitive). Both
"PLAIN" and "LOGIN" use cleartext passwords, there is no mechanism
named "password".
Thanks for the heads up again. As smtp_sasl_security_options specifies:
noplaintext
Disallow methods that use plaintext passwords.
I have used "password" as a superset or class of all clear text password
methods, as opposed to fundamentally different methods, such as
kerberos or ntlm.
Which is wrong, I (hopefully) get it now, but was the reason why I have
misunderstood the smtp_sasl_mechanism_filter in the first place.
sasl will never by my friend, I am afraid.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org