Security concern over default smtp auth configuration
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Server Guide |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
In the following section:
https:/
the proposed sasl security option, which will presumably be used by millions of installations, is as follows:
smtpd_sasl_
I strongly recommend the following instead:
smtpd_sasl_
smtpd_sasl_
(see http://
the reason: with the current proposition, postfix will authorize an authentication method that involves plain text passwords transmitted unencrypted over the network. This means a simple network snooper installed over a corporate network will be able to recover the passwords of users who use the ubuntu server as a mail relay.
conclusion: documentation should ensure 'noplaintext' is used by default for non encrypted routes.
security vulnerability: | yes → no |
security vulnerability: | yes → no |
visibility: | private → public |
visibility: | private → public |
tags: |
added: serverguide removed: postfix sasl |
Changed in ubuntu-docs (Ubuntu): | |
status: | New → Invalid |
no longer affects: | ubuntu-docs (Ubuntu) |
Fixed for focal.
https:/ /discourse. ubuntu. com/t/mail- postfix/ 11325