[Techtalk] Postfix/ Courier TLS/SASL

[Devdas Bhagat]

On 20/05/04 13:15 -0700, Carla Schroder wrote:
> Hiya homies,
> 
> I've googled and read docs until my eyeballs are falling out, hopefully
> one of you fine chix0rs will know- do I need to enable TLS/SASL in both
> Postfix and Courier? I have it enabled in Courier, and clients are using
If you so wish to, yes. TLS can be a good thing if you require that
clients authenticate with your certificates rather than passwords.
I currently have very large doubts on the utility of allowing clients to
choose their own passwords for SMTP authentication.

> it like happy little clams. However I have not enabled it in Postfix:
> 
> $ telnet localhost 25
> Trying 127.0.0.1...
> Connected to localhost.localdomain.
> Escape character is '^]'.
> 220 windbag.test.net ESMTP Postfix (Libranet/GNU)
> EHLO windbag.test.net
> 250-windbag.test.net
> 250-PIPELINING
> 250-SIZE 10240000
> 250-VRFY
> 250-ETRN
> 250-XVERP
> 250 8BITMIME
I note a distinct lack of SMTP Authentication.

> ^]
> telnet> quit
> 
> Telnet would report
> 
>    250-STARTTLS
>    250-AUTH LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5
>    250-AUTH=LOGIN PLAIN OTP DIGEST-MD5 CRAM-MD5
> 
> when TLS/SASL are enabled in Postfix. It's easy enough to add to Postfix- 
> do I need to? I think I don't, but I'd like to hear from wiser heads.
Hmmm, do you need to be able to encrypt the outbound channel? In that
case TLS is useful. If you have roaming users and you want to
authenticate them with certificates, you need TLS. If you want to use
SMTP AUTH, but the MUAs do not support CRAM-MD5 or better, and don't
want the passwords floating around in plain text, you need SASL and TLS.

Devdas Bhagat

> 
> thanks!
> 
> PS- OpenSSL has its own encrypted telnet-type client for testing this stuff:
> 
> # openssl s_client -connect localhost:995
> <boatloads of output, use the standard POP3 telnet commands>
Yup. I thought this was a FAQ :)

Devdas Bhagat