1

I have enabled TLS support in POSTFIX and authentication is delegated to Dovecot which offers "plain login cram-md5" methods. The SASL section in my Postfix conf had 

smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_path = private/auth-client

Unfortunately a few of the connecting mail clients are Outlook Express and Gmail, both of which do not support CRAM-MD5. To allow those clients to relay, I had to remove the noplaintext constraint and use 

smtpd_sasl_security_options = noanonymous

instead. Does that mean that clients like Outlook Express and Gmail will send their credentials in plain text only, even though TLS is enabled? If yes, what options do I have?

Thank you!

Gurunandan Bhat
  • 247
  • 3
  • 8
  • Isn't the idea of TLS to create a secure connection so that authentication sent can't be sniffed? – NickW Mar 06 '13 at 11:39

1 Answers1

2

Since your connection is encrytped via TLS, there should be no security problem with plaintext authentification. Most mail providers use plaintext auth over TLS/SSL. It is a problem of how probable it is that someone can sniff the contents of the connection.

You have to make sure though that you cannot connect without encryption. You should also use a certificate from a trusted CA.

Christopher Perrin
  • 4,811
  • 19
  • 33
  • Thanks. How do I check/ensure that I cannot connect without encryption? I have a self-signed certificate that all clients are committed to accept. – Gurunandan Bhat Mar 06 '13 at 14:53
  • Disable all non-encrypted protocols – Christopher Perrin Mar 06 '13 at 15:26
  • @ChristopherPerrin That's bad advice – ATLief Aug 15 '20 at 02:37
  • @ATLief Thank you for takig your time to answer to a 7 year old comment. Could you maybe elaborate? Your comment is a bit on the short side. – Christopher Perrin Aug 16 '20 at 08:03
  • @ChristopherPerrin Many protocols (including IMAP and SMTP) support opportunistic encryption. This means that port 143 and 25 MAY be unencrypted, but it's perfectly valid to upgrade an unencrypted connection to an encrypted one on the same port. In theory clients should be fine with only having access to port 993 and 465/587 if they're using encryption, but certain firewalls may block port 993 for one reason or another. And if you're running a mail server you certainly shouldn't block port 25 or 587. – ATLief Aug 18 '20 at 18:01
  • But that wasn't the question. The commenter asked how to disable unencrypted connections. – Christopher Perrin Aug 19 '20 at 19:16