I have enabled TLS support in POSTFIX and authentication is delegated to Dovecot which offers "plain login cram-md5" methods. The SASL section in my Postfix conf had
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_type = dovecot
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_path = private/auth-client
Unfortunately a few of the connecting mail clients are Outlook Express and Gmail, both of which do not support CRAM-MD5. To allow those clients to relay, I had to remove the noplaintext constraint and use
smtpd_sasl_security_options = noanonymous
instead. Does that mean that clients like Outlook Express and Gmail will send their credentials in plain text only, even though TLS is enabled? If yes, what options do I have?
Thank you!
Best Answer
Since your connection is encrytped via TLS, there should be no security problem with plaintext authentification. Most mail providers use plaintext auth over TLS/SSL. It is a problem of how probable it is that someone can sniff the contents of the connection.
You have to make sure though that you cannot connect without encryption. You should also use a certificate from a trusted CA.