SASL Auth: force ssl/tls connections.

install_postfix_advanced.sh

@@ -833,15 +833,31 @@ if $IS_RELAY_HOST ; then
    cat <<EOF >> /etc/postfix/main.cf
 
 #======= SASL Authentification  ============
+
+# Enable SASL authentication
 smtpd_sasl_auth_enable = $SASL_AUTH_ENABLED
+
+# Only offer SMTP AUTH when talking over an encrypted connection
+smtpd_tls_auth_only = yes
+
 smtpd_sasl_type = cyrus
 smtpd_sasl_path = smtpd
 
+# Disallow methods that allow anonymous authentication.
 smtpd_sasl_security_options = noanonymous
 smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
-smtpd_sasl_authenticated_header = yes
-broken_sasl_auth_clients = yes
 
+# Report the SASL authenticated user name in the smtpd(8) Received message header.
+smtpd_sasl_authenticated_header = yes
+
+# Enable interoperability with remote SMTP clients that implement an obsolete version 
+# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook 
+# Express version 4 and MicroSoft Exchange version 5.0.
+#
+# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support 
+# in a non-standard way.
+#
+broken_sasl_auth_clients = yes
 
 ## - Optional lookup table with the SASL login names that own 
 ## - sender (MAIL FROM) addresses.
@@ -868,6 +884,10 @@ else
 ## -
 smtpd_sasl_auth_enable = no
 
+## - Only offer SMTP AUTH when talking over an encrypted connection
+## -
+smtpd_tls_auth_only = yes
+
 ## - The SASL plug-in type that the Postfix SMTP server should use for authentication. 
 ## - The available types are listed with the "postconf -a" command. 
 ## -
@@ -882,8 +902,20 @@ smtpd_sasl_type = dovecot
 ## -
 smtpd_sasl_path = private/dovecot-auth
 
+# Disallow methods that allow anonymous authentication.
 smtpd_sasl_security_options = noanonymous
-smtpd_sasl_authenticated_header = yes
+smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
+
+# Report the SASL authenticated user name in the smtpd(8) Received message header.
+smtpd_sasl_authenticated_header = no
+
+# Enable interoperability with remote SMTP clients that implement an obsolete version 
+# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook 
+# Express version 4 and MicroSoft Exchange version 5.0.
+#
+# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support 
+# in a non-standard way.
+#
 broken_sasl_auth_clients = yes
 
 

install_postfix_base.sh

@@ -602,20 +602,21 @@ if $SASL_AUTH ; then
 # Enable SASL authentication
 smtp_sasl_auth_enable = yes
 
+# Only offer SMTP AUTH when talking over an encrypted connection
+smtpd_tls_auth_only = yes
+
 # Forwarding to the ip-adress of host b.mx.oopen.de
 relayhost = [${RELAY_HOST}]
 
 # File including login data
 smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
 
-# Force using a (TLS) security connection
-# obsulete - use smtp_tls_security_level instead
-#smtp_use_tls = yes
-#smtp_tls_enforce_peername = no
-smtp_tls_security_level = encrypt
-
 # Disallow methods that allow anonymous authentication.
 smtp_sasl_security_options = noanonymous
+smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
+
+# Report the SASL authenticated user name in the smtpd(8) Received message header. 
+smtpd_sasl_authenticated_header = no
 
 
 

install_update_dovecot.sh

@@ -2015,6 +2015,8 @@ EOF
    ## - /etc/postfix/main.cf
    ## -
    ## - add/uncomment:
+   ## -
+   ## -    smtpd_tls_auth_only
    ## - 
    ## -    smtpd_sasl_type = dovecot
    ## -    smtpd_sasl_path = private/dovecot-auth
@@ -2030,7 +2032,9 @@ EOF
    _failed=false
    echononl "\tAdjust /etc/postfix/main.cf"
 
-   perl -i.$backup_date -n -p -e "s#^(\s*)(smtpd_sasl_auth_enable\ *=.*)#smtpd_sasl_auth_enable = no#" \
+   perl -i.$backup_date -n -p -e "s#^(\s*)(smtpd_tls_auth_only\ *=.*)#smtpd_tls_auth_only = yes#" \
+      /etc/postfix/main.cf || _failed=true
+   perl -i -n -p -e "s#^(\s*)(smtpd_sasl_auth_enable\ *=.*)#smtpd_sasl_auth_enable = no#" \
       /etc/postfix/main.cf || _failed=true
    perl -i -n -p -e "s#^(\s*)(smtpd_sasl_type\ *=.*)#smtpd_sasl_type = dovecot#" \
       /etc/postfix/main.cf || _failed=true