# DO NOT EDIT THIS FILE. EDIT THE MAIN.CF FILE INSTEAD. THE STUFF # HERE JUST SERVES AS AN EXAMPLE. # # This file contains example settings of Postfix configuration # parameters that control SASL authentication for the Postfix # SMTP server and client programs. # SMTP SERVER CONTROLS # The smtpd_sasl_auth_enable parameter controls whether SMTP client # authentication is enabled in the Postfix SMTP server. By default, # the Postfix SMTP server does not use authentication. # # If an SMTP client is authenticated, then the permit_sasl_authenticated # access restriction can be used to permit relay access, like this: # # smtpd_recipient_restrictions = permit_sasl_authenticated, ... # # To reject all SMTP connections from unauthenticated clients, # specify smtpd_delay_reject=yes (which is the default) and use: # # smtpd_client_restrictions = permit_sasl_authenticated # # In order to enable server-side authentication, build Postfix with # SASL support, and install a configuration file /usr/lib/sasl/smtpd.conf # (SASL version 1) or /usr/lib/sasl2/smtpd.conf (SASL version 2) with # as contents, for example, # # pwcheck_method: sasldb # # or whatever method is suitable for your environment: PAM, shadow, # etc. If you use sasldb, you can add users with the "saslpasswd" # command that comes with the SASL library. If you configure Postfix # to use PAM, the PAM service name for SASL authentication is "smtp", # and adding users depends entirely on how PAM is set up. # # If you run your SMTP server chrooted, then you need to copy PAM # and/or SASL support libraries and data files into the chroot jail. # That's a lot of files, and it seems not very practical to do so. # #smtpd_sasl_auth_enable = yes smtpd_sasl_auth_enable = no # The smtpd_sasl_security_options parameter controls what authentication # mechanisms the Postfix SMTP server will offer to the client. The # list of available authentication mechanisms is system dependent. # # Specify zero or more of the following: # # noplaintext: disallow methods that use plaintext passwords # noactive: disallow methods subject to active (non-dictionary) attack # nodictionary: disallow methods subject to passive (dictionary) attack # noanonymous: disallow methods that allow anonymous authentication # # An additional option is available in SASL version 2: # # mutual_auth: only allow methods that provide mutual authentication # # By default, the Postfix SMTP server accepts plaintext passwords but # not anonymous logins. # # HORROR! It appears that clients try authentication methods in the # order as advertised by the server (e.g., PLAIN ANONYMOUS CRAM-MD5) # which means that if you disable plaintext passwords, clients will # log in anonymously, even when they should be able to use CRAM-MD5. # So, if you disable plaintext logins, disable anonymous logins too. # Postfix treats anonymous login as no authentication. # #smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_security_options = noanonymous # The smtpd_sasl_local_domain parameter specifies the name of the # local authentication realm. # # By default, the local authentication realm name is the name of the # machine. # #smtpd_sasl_local_domain = $mydomain smtpd_sasl_local_domain = $myhostname # SMTP CLIENT CONTROLS # The smtp_sasl_auth_enable parameter controls whether authentication # is enabled in the Postfix SMTP client. By default, the Postfix SMTP # client uses no authentication. # #smtp_sasl_auth_enable = yes smtp_sasl_auth_enable = no # The smtp_sasl_password_maps parameter specifies the names of lookup # tables with one username:password entry per remote hostname or # domain. If a remote host or domain has no username:password entry, # then the Postfix SMTP client will not attempt to authenticate to # the remote host. # # The Postfix SMTP client opens the lookup table before going to # chroot jail, so you can leave the password file in /etc/postfix. # smtp_sasl_password_maps = hash:/etc/postfix/saslpass # The smtp_sasl_security_options parameter controls what authentication # mechanisms the local Postfix SMTP client is allowed to use. The # list of available authentication mechanisms is system dependent. # # Specify zero or more of the following: # # noplaintext: disallow methods that use plaintext passwords # noactive: disallow methods subject to active (non-dictionary) attack # nodictionary: disallow methods subject to passive (dictionary) attack # noanonymous: disallow methods that allow anonymous authentication # # An additional option is available in SASL version 2: # # mutual_auth: only allow methods that provide mutual authentication # # By default, the Postfix SMTP client will not use plaintext passwords. # #smtp_sasl_security_options = smtp_sasl_security_options = noplaintext