jtelep@??? wrote:
> Great, this helps so much. Thanks for your help Bill. So just for a
> quick recap to be sure that I understand this correctly, once TLS is
> enabled it handles all of encryption regarding SMTP traffic including the
> authentication. So I can use sasl-plain auth without being concerned that
> someone can "sniff" the user_id and password because the connection has
> already been encrypted. Let me know if I am off base here at all.
You need to ensure that you only allow PLAIN or LOGIN authentication on
a TLS connection, otherwise a client could accidentally connect without
TLS and send a password en-clair.
This is usually done with:
server_advertise_condition = ${if def:tls_cipher}
in the authenticator definition.
- Marc
