SASL Auth: force ssl/tls connections.

This commit is contained in:
2018-05-01 15:11:47 +02:00
parent 59a3fe60fc
commit 18962fafec
3 changed files with 47 additions and 10 deletions

View File

@ -833,15 +833,31 @@ if $IS_RELAY_HOST ; then
cat <<EOF >> /etc/postfix/main.cf
#======= SASL Authentification ============
# Enable SASL authentication
smtpd_sasl_auth_enable = $SASL_AUTH_ENABLED
# Only offer SMTP AUTH when talking over an encrypted connection
smtpd_tls_auth_only = yes
smtpd_sasl_type = cyrus
smtpd_sasl_path = smtpd
# Disallow methods that allow anonymous authentication.
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
smtpd_sasl_authenticated_header = yes
broken_sasl_auth_clients = yes
# Report the SASL authenticated user name in the smtpd(8) Received message header.
smtpd_sasl_authenticated_header = yes
# Enable interoperability with remote SMTP clients that implement an obsolete version
# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook
# Express version 4 and MicroSoft Exchange version 5.0.
#
# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support
# in a non-standard way.
#
broken_sasl_auth_clients = yes
## - Optional lookup table with the SASL login names that own
## - sender (MAIL FROM) addresses.
@ -868,6 +884,10 @@ else
## -
smtpd_sasl_auth_enable = no
## - Only offer SMTP AUTH when talking over an encrypted connection
## -
smtpd_tls_auth_only = yes
## - The SASL plug-in type that the Postfix SMTP server should use for authentication.
## - The available types are listed with the "postconf -a" command.
## -
@ -882,8 +902,20 @@ smtpd_sasl_type = dovecot
## -
smtpd_sasl_path = private/dovecot-auth
# Disallow methods that allow anonymous authentication.
smtpd_sasl_security_options = noanonymous
smtpd_sasl_authenticated_header = yes
smtpd_sasl_tls_security_options = \$smtpd_sasl_security_options
# Report the SASL authenticated user name in the smtpd(8) Received message header.
smtpd_sasl_authenticated_header = no
# Enable interoperability with remote SMTP clients that implement an obsolete version
# of the AUTH command (RFC 4954). Examples of such clients are MicroSoft Outlook
# Express version 4 and MicroSoft Exchange version 5.0.
#
# Specify "broken_sasl_auth_clients = yes" to have Postfix advertise AUTH support
# in a non-standard way.
#
broken_sasl_auth_clients = yes