How do I get disabling SMTP plaintext authentication to stick on OS X 10.10 Yosemite's Server.app

Question

I've got an SMTP relay server that I recently replaced with OS X 10.10 Yosemite running Server.app. It is running as an SMTP-only relay allowing only hosts from the LAN to relay out through it. We do this so that all mail from our subnet is correctly sent from a verified host for our domain for Sender Policy Framework (SPF) and such.

Configuring to relay out was pretty easy. Following Apple's documentation for Disabling Mail services on OS X Server, I did the following:

sudo serveradmin settings mail:global:skip_enable_service_check = yes
sudo serveradmin settings mail:imap:enable_imap = no
sudo serveradmin settings mail:imap:enable_pop = no
sudo serveradmin settings mail:imap:enable_sieve = no
sudo serveradmin stop mail
sudo serveradmin start mail

That ensured that only SMTP is running and remains the case after rebooting or restarting the Mail service. Since the SMTP relay server's hostname is subdomain in the domain it's relaying for, I also had to modify /Library/Server/Mail/Config/postfix/main.cf to remove $myhostname & $mydomain from "mydestination", the resulting line is as follows:

mydestination = localhost.$mydomain, localhost

That also worked, Server.app recognized and retains the change (as verified by running sudo serveradmin settings mail:postfix). The same holds true for tweaks to the mynetworks line to limit which subnets relaying was accepted from.

The problem I'm experiencing is that modifications to the smtpd_pw_server_security_options line (specifically, to remove the LOGIN & PLAIN authentication types) will not stick and revert to the default (which includes the unwanted plaintext auth types) upon starting the Mail service. Apple's documentation on Apple-specific postfix options in Mac OS X Server imply that skipping the LOGIN & PLAIN options should be valid.

I have tried:

1. the aforementioned modifications to smtpd_pw_server_security_options in /Library/Server/Mail/Config/postfix/main.cf
2. As mentioned in the Apple-specific postfix options documentation, running sudo serveradmin settings mail:postfix:smtpd_use_pw_server = no (mail:postfix:smtpd_use_pw_server seems to be an empty dictionary under Yosemite)
3. Running sudo serveradmin settings postfix:smtp_sasl_auth_enable = yes (it defaults to 'no' under Yosemite, so I assume Apple just swapped this option's functionality from the above mail:postfix:smtpd_use_pw_server option)
4. Using serveradmin to delete the login & plain elements from the mail:postfix:smtpd_pw_server_security_options array (e.g. sudo serveradmin settings mail:postfix:smtpd_pw_server_security_options:_array_index:2 = delete), but as Charles Edge mentions in his kyrpted blog post about Removing 'serveradmin settings' Entries in OS X Server, that functionality seems to be broken. And, no these settings aren't mirrored in /Library/Server/Mail/Config/MailServicesOther.plist or any other .plist, so manually modifying those doesn't appear to be an option.

I have gotten plaintext auth disabled temporarily using Server.app by toggling the plaintext authentication setting from a partially selected checkbox (presumably because IMAP is disabled) to a fully deselected checkbox, but it's inconsistent and doesn't stick after restarting the Mail service.

Any suggestions or solutions would be greatly appreciated, with the exception of advising not to use Server.app on OS X. This is for an all-Apple shop which must dog food Apple's products for reasons which I cannot get into here. Naturally, leaving plaintext auth enabled is also not an option for obvious security & PCI DSS compliance reasons.

Answer 1

I can--with some futzing--get SMTP plaintext auth disabled via Server.app, though it doesn't stick very well (certainly doesn't survive a reboot or restart of the Mail service, and sometimes even gets lost while poking around in Server.app). I realized that, as a temporary workaround, that I can at least automatically notify if the 'PLAIN' & 'LOGIN' plaintext SMTP auth gets re-enabled.

I whipped up the following quick bash script that does the job:

#!/bin/bash

# 
# smtp_plaintext_auth_check - check to see if plaintext auth is supported by SMTP service and warn if it is
# 
# v0.1   2015-03-12 - Morgan Aldridge <http://serverfault.com/users/13496/morgant>
#                     Initial version.
# 

admin_emails="email@domain.tld"
debug=false

host=$(hostname)
date=$(date +%Y-%m-%d-%H%M)

plaintext_auth_enabled=false

# check via serveradmin to see if plaintext auth is allowed by the SMTP server
if $debug; then echo "Checking Mail service to see if SMTP plaintext auth is supported..."; fi
while IFS= read -r line; do
    if [[ "$line" =~ (plain|login) ]]; then
        if $debug; then echo "  Found '${BASH_REMATCH[1]}' SMTP auth method which is plaintext!"; fi
        plaintext_auth_enabled=true
    fi
done <<< "$(serveradmin settings mail:postfix:smtpd_pw_server_security_options)"

# if plaintext auth is enabled, notify admins
if $plaintext_auth_enabled; then
    if $debug; then echo "Notifying admins via email that SMTP plaintext auth IS supported. That's bad!"; fi
    mail -s "Error on $host: SMTP plaintext auth is allowed! $date" $admin_emails <<-EOM
        ERROR on $host: SMTP plaintext auth appears to be allowed by the Mail service! This is a security risk and against PCI DSS compliance!

        Please resolve ASAP!
    EOM
else
    if $debug; then echo "Phew, SMTP plaintext auth doesn't appear to be supported. That's good."; fi
fi

Again, it's a workaround and I'd much prefer to programmatically disable SMTP plaintext auth.