Postfix auth login

When im sending inbound email from outside to internal. My internal domain is protected by Email gateway running postfix. I'm trying to send email via command prompt.

When i give "auth login" command, it allows user name as "root" and if I give any password it accepts.

[root@kar-esg-esg ~]# telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 ABC email protection service is ready.
ehlo kk
250-ABC email protection service
250-SIZE 35840000
250-STARTTLS
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250 8BITMIME
auth login
334 VXNlcm5hbWU6
root
334 UGFzc3dvcmQ6
blah
235 2.7.0 Authentication successful

My query is- What does this "auth login" mean for an inbound email. And what are the credentials for this ?

I'm aware that this can be disabled with "smtpd_sasl_auth_enable" option. But I would like to know why is this used for and what are the implications disabling it.

user1034181

Posted 2019-05-10T05:02:43.390

Reputation: 11

Answers

Inbound email from other domains to your MX servers doesn't use any form of SASL authentication. Foreign servers do not have any credentials they could use; they just go straight from HELO (EHLO) to sending the message.

You should not need to enable SASL auth globally (main.cf). Instead, you only need to enable it for individual services in master.cf – specifically, just the "client-to-server" ports 587 and 465:

submission inet n       -       n       -       -       smtpd                              
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
...
submissions inet  n       -       n       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
...

Most of the time, the only reason to have auth enabled on port 25 (the "smtp" service) is if you're sending outgoing mail using old clients which either do not support using port 587 (which is a recent invention), and/or do not support mandatory TLS.

user1686

Posted 2019-05-10T05:02:43.390

Reputation: 283 655

This explains everything. Perfect. – user1034181 – 2019-05-10T07:17:27.057