Ssl – How to force postfix to deny all non TLS queries

I have a server with postfix and a plain text authentication.

It accepts both TLS and non-TLS authentication.

How can I force the server to deny all non TLS queries so that the mail users never send their username and passwords in clear text when login in?

To make thinks clear, if user2@mymailserver2.com is the recipient and user@mymailserver.com the local sender:

I want this command to work (since there is the --tls option):

swaks --tls --to user2@mymailserver2.com --from -a user1@mymailserver1.com -auth CRAM-MD5 --auth-user user1@mymailserver1.com

and that command to fail (since --tls is missing):

swaks --to user2@mymailserver2.com --from -a user1@mymailserver1.com -auth CRAM-MD5 --auth-user user1@mymailserver1.com

Supporting AUTH over TLS only

Sending AUTH data over an unencrypted channel poses a security risk. When TLS layer encryption is required (smtpd_tls_security_level = encrypt), the Postfix SMTP server will announce and accept AUTH only after the TLS layer has been activated with STARTTLS. When TLS layer encryption is optional (smtpd_tls_security_level = may), it may however still be useful to only offer AUTH when TLS is active. To maintain compatibility with non-TLS clients, the default is to accept AUTH without encryption. In order to change this behavior, set
smtpd_tls_auth_only = yes

Ssl – How to force postfix to deny all non TLS queries

Best Answer

Supporting AUTH over TLS only

Related Topic

Best Answer

Supporting AUTH over TLS only

Related Solutions

Postfix + Courier + MySql mail server with SASL

Removing “noplaintext” from Postfix conf due to lack of CRAM-MD5 support in clients. Is that insecure

Related Topic