0

I have postfix and dovecot on a machine and I don't want anonymous sasl.

This is my main.cf

smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination

(As you see I'm not using smtpd_sasl_security_options = noanonymous)

In dovecot I don't have anonymous as auth_mechanisms as I don't want it:

auth_mechanisms = plain login

Is there any point in having smtpd_sasl_security_options = noanonymous in postfix as well?

Don't these two settings sort of overlap?

I still don't understand.

1) According to the above configuration,

when I RECEIVE via MUA(Thunderbird) the process is:

MUA(Thunderbird) -> (POP/IMAP protocol) -> Dovecot's SASL -> new emails downloaded by MUA(Thunderbird)

when I SEND via MUA(Thunderbird) the process is:

MUA(Thunderbird) -> (SMTP protocol) -> MTA(Postfix) -> Dovecot's SASL (because of smtpd_sasl_type = dovecot) -> new email sent with MTA(Postfix)

2) As Dovecot's SASL is being used I guess all the directives in 10-auth.conf are and among these there is auth_mechanisms.

It looks to me as though when I SEND via MUA, because postfix comes first:

smtpd_sasl_security_options = noanonymous

is run first.

Then Dovecot's SASL comes and so:

auth_mechanisms = plain login

It looks to me as though smtpd_sasl_security_options = noanonymous is not really necessary because later on I only allow "plain" and "login". Can you see what I mean?

Sven
  • 98,649
  • 14
  • 180
  • 226
wlf
  • 1
  • 1
  • 2

1 Answers1

1

No, they don't overlap. Postfix can use the SASL authentication mechanisms provided by Dovecot, but it doesn't use Dovecot's configuration. In Postfix you configure authentication for SMTP, in Dovecot you configure authentication for IMAP and/or POP3.

And yes, you probably should use smtpd_sasl_security_options = noanonymous.

Ansgar Wiechers
  • 4,247
  • 2
  • 18
  • 26
  • Can you confirm if I got it right? 1) If I send an email from a MUA, it's sent to Postfix which does SMTP authentication (smtpd_sasl_security_options comes into play, auth_mechanisms doesn't) and, if successful, delivers. 2) If I get an email on the MUA, I got it after Dovecot POP/IMAP authentication (auth_mechanisms comes into play, smtpd_sasl_security_options doesn't) – wlf Sep 12 '12 at 11:15
  • That's correct. – Ansgar Wiechers Sep 12 '12 at 11:43
  • Ansgar can you take a look at my answer below? Thanks for your answer but I'm still not 100% with you. – wlf Sep 12 '12 at 12:30
  • 1
    As per http://www.postfix.org/postconf.5.html **"By default, the Postfix SMTP server accepts plaintext passwords but not anonymous logins."** Therefore specifying "smtpd_sasl_security_options = noanonymous" is superfluous. –  Aug 12 '15 at 15:59