I have postfix and dovecot on a machine and I don't want anonymous sasl.
This is my main.cf
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_auth_enable = yes
broken_sasl_auth_clients = yes
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination
(As you see I'm not using smtpd_sasl_security_options = noanonymous)
In dovecot I don't have anonymous as auth_mechanisms as I don't want it:
auth_mechanisms = plain login
Is there any point in having smtpd_sasl_security_options = noanonymous in postfix as well?
Don't these two settings sort of overlap?
I still don't understand.
1)
According to the above configuration,
when I RECEIVE via MUA(Thunderbird) the process is:
MUA(Thunderbird) -> (POP/IMAP protocol) -> Dovecot's SASL -> new emails downloaded by MUA(Thunderbird)
when I SEND via MUA(Thunderbird) the process is:
MUA(Thunderbird) -> (SMTP protocol) -> MTA(Postfix) -> Dovecot's SASL (because of smtpd_sasl_type = dovecot) -> new email sent with MTA(Postfix)
2)
As Dovecot's SASL is being used I guess all the directives in 10-auth.conf are and among these there is auth_mechanisms.
It looks to me as though when I SEND via MUA, because postfix comes first:
smtpd_sasl_security_options = noanonymous
is run first.
Then Dovecot's SASL comes and so:
auth_mechanisms = plain login
It looks to me as though smtpd_sasl_security_options = noanonymous is not really necessary because later on I only allow "plain" and "login". Can you see what I mean?
Best Answer
No, they don't overlap. Postfix can use the SASL authentication mechanisms provided by Dovecot, but it doesn't use Dovecot's configuration. In Postfix you configure authentication for SMTP, in Dovecot you configure authentication for IMAP and/or POP3.
And yes, you probably should use
smtpd_sasl_security_options = noanonymous.