From b7c15c31519dc44c1f691e0466badd556ffe9423 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 18:18:56 +0200
Subject: Adding upstream version 3.7.10.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 README_FILES/SASL_README | 1422 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 1422 insertions(+)
 create mode 100644 README_FILES/SASL_README

(limited to 'README_FILES/SASL_README')

diff --git a/README_FILES/SASL_README b/README_FILES/SASL_README
new file mode 100644
index 0000000..94a377e
--- /dev/null
+++ b/README_FILES/SASL_README
@@ -0,0 +1,1422 @@
+PPoossttffiixx SSAASSLL HHoowwttoo
+
+-------------------------------------------------------------------------------
+
+HHooww PPoossttffiixx uusseess SSAASSLL aauutthheennttiiccaattiioonn
+
+SMTP servers need to decide whether an SMTP client is authorized to send mail
+to remote destinations, or only to destinations that the server itself is
+responsible for. Usually, SMTP servers accept mail to remote destinations when
+the client's IP address is in the "same network" as the server's IP address.
+
+SMTP clients outside the SMTP server's network need a different way to get
+"same network" privileges. To address this need, Postfix supports SASL
+authentication (RFC 4954, formerly RFC 2554). With this a remote SMTP client
+can authenticate to the Postfix SMTP server, and the Postfix SMTP client can
+authenticate to a remote SMTP server. Once a client is authenticated, a server
+can give it "same network" privileges.
+
+Postfix does not implement SASL itself, but instead uses existing
+implementations as building blocks. This means that some SASL-related
+configuration files will belong to Postfix, while other configuration files
+belong to the specific SASL implementation that Postfix will use. This document
+covers both the Postfix and non-Postfix configuration.
+
+NOTE: People who go to the trouble of installing Postfix may have the
+expectation that Postfix is more secure than some other mailers. The Cyrus SASL
+library contains a lot of code. With this, Postfix becomes as secure as other
+mail systems that use the Cyrus SASL library. Dovecot provides an alternative
+that may be worth considering.
+
+You can read more about the following topics:
+
+  * Configuring SASL authentication in the Postfix SMTP server
+  * Configuring SASL authentication in the Postfix SMTP/LMTP client
+  * Building Postfix with SASL support
+  * Using Cyrus SASL version 1.5.x
+  * Credits
+
+CCoonnffiigguurriinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
+
+As mentioned earlier, SASL is implemented separately from Postfix. For this
+reason, configuring SASL authentication in the Postfix SMTP server involves two
+different steps:
+
+  * Configuring the SASL implementation to offer a list of mechanisms that are
+    suitable for SASL authentication and, depending on the SASL implementation
+    used, configuring authentication backends that verify the remote SMTP
+    client's authentication data against the system password file or some other
+    database.
+
+  * Configuring the Postfix SMTP server to enable SASL authentication, and to
+    authorize clients to relay mail or to control what envelope sender
+    addresses the client may use.
+
+Successful authentication in the Postfix SMTP server requires a functional SASL
+framework. Configuring SASL should therefore always be the first step, before
+configuring Postfix.
+
+You can read more about the following topics:
+
+  * Which SASL Implementations are supported?
+  * Configuring Dovecot SASL
+
+      o Postfix to Dovecot SASL communication
+
+  * Configuring Cyrus SASL
+
+      o Cyrus SASL configuration file name
+      o Cyrus SASL configuration file location
+      o Postfix to Cyrus SASL communication
+
+  * Enabling SASL authentication and authorization in the Postfix SMTP server
+
+      o Enabling SASL authentication in the Postfix SMTP server
+      o Postfix SMTP Server policy - SASL mechanism properties
+      o Enabling SASL authorization in the Postfix SMTP server
+      o Additional SMTP Server SASL options
+
+  * Testing SASL authentication in the Postfix SMTP server
+
+WWhhiicchh SSAASSLL IImmpplleemmeennttaattiioonnss aarree ssuuppppoorrtteedd??
+
+Currently the Postfix SMTP server supports the Cyrus SASL and Dovecot SASL
+implementations.
+
+    NNoottee
+
+    Current Postfix versions have a plug-in architecture that can support
+    multiple SASL implementations. Before Postfix version 2.3, Postfix had
+    support only for Cyrus SASL.
+
+To find out what SASL implementations are compiled into Postfix, use the
+following commands:
+
+    % ppoossttccoonnff --aa (SASL support in the SMTP server)
+    % ppoossttccoonnff --AA (SASL support in the SMTP+LMTP client)
+
+These commands are available only with Postfix version 2.3 and later.
+
+CCoonnffiigguurriinngg DDoovveeccoott SSAASSLL
+
+Dovecot is a POP/IMAP server that has its own configuration to authenticate
+POP/IMAP clients. When the Postfix SMTP server uses Dovecot SASL, it reuses
+parts of this configuration. Consult the Dovecot documentation for how to
+configure and operate the Dovecot authentication server.
+
+PPoossttffiixx ttoo DDoovveeccoott SSAASSLL ccoommmmuunniiccaattiioonn
+
+Communication between the Postfix SMTP server and Dovecot SASL happens over a
+UNIX-domain socket or over a TCP socket. We will be using a UNIX-domain socket
+for better privacy.
+
+The following fragment for Dovecot version 2 assumes that the Postfix queue is
+under /var/spool/postfix/.
+
+     1 conf.d/10-master.conf:
+     2     service auth {
+     3       ...
+     4       unix_listener /var/spool/postfix/private/auth {
+     5         mode = 0660
+     6         # Assuming the default Postfix user and group
+     7         user = postfix
+     8         group = postfix
+     9       }
+    10       ...
+    11     }
+    12
+    13 conf.d/10-auth.conf
+    14     auth_mechanisms = plain login
+
+Line 4 places the Dovecot SASL socket in /var/spool/postfix/private/auth, lines
+5-8 limit read+write permissions to user and group postfix only, and line 14
+provides plain and login as mechanisms for the Postfix SMTP server.
+
+Proceed with the section "Enabling SASL authentication and authorization in the
+Postfix SMTP server" to turn on and use SASL in the Postfix SMTP server.
+
+CCoonnffiigguurriinngg CCyyrruuss SSAASSLL
+
+The Cyrus SASL framework supports a wide variety of applications (POP, IMAP,
+SMTP, etc.). Different applications may require different configurations. As a
+consequence each application may have its own configuration file.
+
+The first step configuring Cyrus SASL is to determine name and location of a
+configuration file that describes how the Postfix SMTP server will use the SASL
+framework.
+
+CCyyrruuss SSAASSLL ccoonnffiigguurraattiioonn ffiillee nnaammee
+
+The name of the configuration file (default: smtpd.conf) is configurable. It is
+a concatenation from a value that the Postfix SMTP server sends to the Cyrus
+SASL library, and the suffix .conf, added by Cyrus SASL.
+
+The value sent by Postfix is the name of the server component that will use
+Cyrus SASL. It defaults to smtpd and is configured with one of the following
+variables:
+
+    /etc/postfix/main.cf:
+        # Postfix 2.3 and later
+        smtpd_sasl_path = smtpd
+
+        # Postfix < 2.3
+        smtpd_sasl_application_name = smtpd
+
+CCyyrruuss SSAASSLL ccoonnffiigguurraattiioonn ffiillee llooccaattiioonn
+
+The location where Cyrus SASL searches for the named file depends on the Cyrus
+SASL version and the OS/distribution used.
+
+You can read more about the following topics:
+
+  * Cyrus SASL version 2.x searches for the configuration file in /usr/lib/
+    sasl2/.
+
+  * Cyrus SASL version 2.1.22 and newer additionally search in /etc/sasl2/.
+
+  * Some Postfix distributions are modified and look for the Cyrus SASL
+    configuration file in /etc/postfix/sasl/, /var/lib/sasl2/ etc. See the
+    distribution-specific documentation to determine the expected location.
+
+    NNoottee
+
+    Cyrus SASL searches /usr/lib/sasl2/ first. If it finds the specified
+    configuration file there, it will not examine other locations.
+
+PPoossttffiixx ttoo CCyyrruuss SSAASSLL ccoommmmuunniiccaattiioonn
+
+As the Postfix SMTP server is linked with the Cyrus SASL library libsasl,
+communication between Postfix and Cyrus SASL takes place by calling functions
+in the SASL library.
+
+The SASL library may use an external password verification service, or an
+internal plugin to connect to authentication backends and verify the SMTP
+client's authentication data against the system password file or other
+databases.
+
+The following table shows typical combinations discussed in this document:
+
+     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
+    |  aauutthheennttiiccaattiioonn bbaacckkeenndd |ppaasssswwoorrdd vveerriiffiiccaattiioonn sseerrvviiccee // pplluuggiinn|
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |/etc/shadow              |saslauthd                             |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |PAM                      |saslauthd                             |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |IMAP server              |saslauthd                             |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |sasldb                   |sasldb                                |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |MySQL, PostgreSQL, SQLite|sql                                   |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |LDAP                     |ldapdb                                |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+
+    NNoottee
+
+    Read the Cyrus SASL documentation for other backends it can use.
+
+ssaassllaauutthhdd -- CCyyrruuss SSAASSLL ppaasssswwoorrdd vveerriiffiiccaattiioonn sseerrvviiccee
+
+Communication between the Postfix SMTP server (read: Cyrus SASL's libsasl) and
+the saslauthd server takes place over a UNIX-domain socket.
+
+saslauthd usually establishes the UNIX domain socket in /var/run/saslauthd/ and
+waits for authentication requests. The Postfix SMTP server must have
+read+execute permission to this directory or authentication attempts will fail.
+
+    IImmppoorrttaanntt
+
+    Some distributions require the user postfix to be member of a special group
+    e.g. sasl, otherwise it will not be able to access the saslauthd socket
+    directory.
+
+The following example configures the Cyrus SASL library to contact saslauthd as
+its password verification service:
+
+    /etc/sasl2/smtpd.conf:
+        pwcheck_method: saslauthd
+        mech_list: PLAIN LOGIN
+
+    IImmppoorrttaanntt
+
+    Do not specify any other mechanisms in mech_list than PLAIN or LOGIN when
+    using saslauthd! It can only handle these two mechanisms, and
+    authentication will fail if clients are allowed to choose other mechanisms.
+
+    IImmppoorrttaanntt
+
+    Plaintext mechanisms (PLAIN, LOGIN) send credentials unencrypted. This
+    information should be protected by an additional security layer such as a
+    TLS-encrypted SMTP session (see: TLS_README).
+
+Additionally the saslauthd server itself must be configured. It must be told
+which authentication backend to turn to for password verification. The backend
+is selected with a saslauthd command-line option and will be shown in the
+following examples.
+
+    NNoottee
+
+    Some distributions use a configuration file to provide saslauthd command
+    line options to set e.g. the authentication backend. Typical locations are
+    /etc/sysconfig/saslauthd or /etc/default/saslauthd.
+
+UUssiinngg ssaassllaauutthhdd wwiitthh //eettcc//sshhaaddooww
+
+Access to the /etc/shadow system password file requires root privileges. The
+Postfix SMTP server (and in consequence libsasl linked to the server) runs with
+the least privilege possible. Direct access to /etc/shadow would not be
+possible without breaking the Postfix security architecture.
+
+The saslauthd socket builds a safe bridge. Postfix, running as limited user
+postfix, can access the UNIX-domain socket that saslauthd receives commands on;
+saslauthd, running as privileged user root, has the privileges required to
+access the shadow file.
+
+The saslauthd server verifies passwords against the authentication backend /
+etc/shadow if started like this:
+
+    % ssaassllaauutthhdd --aa sshhaaddooww
+
+See section "Testing saslauthd authentication" for test instructions.
+
+UUssiinngg ssaassllaauutthhdd wwiitthh PPAAMM
+
+Cyrus SASL can use the PAM framework to authenticate credentials. saslauthd
+uses the PAM framework when started like this:
+
+    % ssaassllaauutthhdd --aa ppaamm
+
+    NNoottee
+
+    PAM configuration for the Postfix SMTP server is usually given in /etc/
+    pam.d/smtp and is beyond the scope of this document.
+
+See section "Testing saslauthd authentication" for test instructions.
+
+UUssiinngg ssaassllaauutthhdd wwiitthh aann IIMMAAPP sseerrvveerr
+
+saslauthd can verify the SMTP client credentials by using them to log into an
+IMAP server. If the login succeeds, SASL authentication also succeeds.
+saslauthd contacts an IMAP server when started like this:
+
+    % ssaassllaauutthhdd --aa rriimmaapp --OO iimmaapp..eexxaammppllee..ccoomm
+
+    NNoottee
+
+    The option "-O imap.example.com" specifies the IMAP server saslauthd should
+    contact when it verifies credentials.
+
+    IImmppoorrttaanntt
+
+    saslauthd sends IMAP login information unencrypted. Any IMAP session
+    leaving the local host should be protected by an additional security layer
+    such as an SSL tunnel.
+
+See section "Testing saslauthd authentication" for test instructions.
+
+TTeessttiinngg ssaassllaauutthhdd aauutthheennttiiccaattiioonn
+
+Cyrus SASL provides the testsaslauthd utility to test saslauthd authentication.
+The username and password are given as command line arguments. The example
+shows the response when authentication is successful:
+
+    % tteessttssaassllaauutthhdd --uu uusseerrnnaammee --pp ppaasssswwoorrdd
+    0: OK "Success."
+
+    NNoottee
+
+    Sometimes the testsaslauthd program is not distributed with a the Cyrus
+    SASL main package. In that case, it may be distributed with -devel, -dev or
+    -debug packages.
+
+Specify an additional "-s smtp" if saslauthd was configured to contact the PAM
+authentication framework, and specify an additional "-f //ppaatthh//ttoo//ssoocckkeettddiirr//mmuuxx"
+if saslauthd establishes the UNIX-domain socket in a non-default location.
+
+If authentication succeeds, proceed with the section "Enabling SASL
+authentication and authorization in the Postfix SMTP server".
+
+CCyyrruuss SSAASSLL PPlluuggiinnss -- aauuxxiilliiaarryy pprrooppeerrttyy pplluuggiinnss
+
+Cyrus SASL uses a plugin infrastructure (called auxprop) to expand libsasl's
+capabilities. Currently Cyrus SASL sources provide three authentication
+plugins.
+
+     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
+    |PPlluuggiinn|DDeessccrriippttiioonn                                                    |
+    |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |sasldb|Accounts are stored stored in a Cyrus SASL Berkeley DB database|
+    |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |sql   |Accounts are stored in a SQL database                          |
+    |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |ldapdb|Accounts are stored stored in an LDAP database                 |
+    |_ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+
+    IImmppoorrttaanntt
+
+    These three plugins support shared-secret mechanisms i.e. CRAM-MD5, DIGEST-
+    MD5 and NTLM. These mechanisms send credentials encrypted but their
+    verification process requires the password to be available in plaintext.
+    Consequently passwords cannot (!) be stored in encrypted form.
+
+TThhee ssaassllddbb pplluuggiinn
+
+The sasldb auxprop plugin authenticates SASL clients against credentials that
+are stored in a Berkeley DB database. The database schema is specific to Cyrus
+SASL. The database is usually located at /etc/sasldb2.
+
+    NNoottee
+
+    The sasldb2 file contains passwords in plaintext, and should have
+    read+write access only to user postfix or a group that postfix is member
+    of.
+
+The saslpasswd2 command-line utility creates and maintains the database:
+
+    % ssaassllppaasssswwdd22 --cc --uu eexxaammppllee..ccoomm uusseerrnnaammee
+    Password:
+    Again (for verification):
+
+This command creates an account uusseerrnnaammee@@eexxaammppllee..ccoomm.
+
+    IImmppoorrttaanntt
+
+    users must specify uusseerrnnaammee@@eexxaammppllee..ccoomm as login name, not uusseerrnnaammee.
+
+Run the following command to reuse the Postfix mydomain parameter value as the
+login domain:
+
+    % ssaassllppaasssswwdd22 --cc --uu ``ppoossttccoonnff --hh mmyyddoommaaiinn`` uusseerrnnaammee
+    Password:
+    Again (for verification):
+
+    NNoottee
+
+    Run saslpasswd2 without any options for further help on how to use the
+    command.
+
+The sasldblistusers2 command lists all existing users in the sasldb database:
+
+    % ssaassllddbblliissttuusseerrss22
+    username1@example.com: password1
+    username2@example.com: password2
+
+Configure libsasl to use sasldb with the following instructions:
+
+    /etc/sasl2/smtpd.conf:
+        pwcheck_method: auxprop
+        auxprop_plugin: sasldb
+        mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
+
+    NNoottee
+
+    In the above example adjust mech_list to the mechanisms that are applicable
+    for your environment.
+
+TThhee ssqqll pplluuggiinn
+
+The sql auxprop plugin is a generic SQL plugin. It provides access to
+credentials stored in a MySQL, PostgreSQL or SQLite database. This plugin
+requires that SASL client passwords are stored as plaintext.
+
+    TTiipp
+
+    If you must store encrypted passwords, you cannot use the sql auxprop
+    plugin. Instead, see section "Using saslauthd with PAM", and configure PAM
+    to look up the encrypted passwords with, for example, the pam_mysql module.
+    You will not be able to use any of the methods that require access to
+    plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-
+    MD5.
+
+The following example configures libsasl to use the sql plugin and connects it
+to a PostgreSQL server:
+
+    /etc/sasl2/smtpd.conf:
+        pwcheck_method: auxprop
+        auxprop_plugin: sql
+        mech_list: PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM
+        sql_engine: pgsql
+        sql_hostnames: 127.0.0.1, 192.0.2.1
+        sql_user: username
+        sql_passwd: secret
+        sql_database: dbname
+        sql_select: SELECT password FROM users WHERE user = '%u@%r'
+
+    NNoottee
+
+    Set appropriate permissions if smtpd.conf contains a password. The file
+    should be readable by the postfix user.
+
+    NNoottee
+
+    In the above example, adjust mech_list to the mechanisms that are
+    applicable for your environment.
+
+The sql plugin has the following configuration options:
+
+    sql_engine
+        Specify mysql to connect to a MySQL server, pgsql for a PostgreSQL
+        server or sqlite for an SQLite database
+
+    sql_hostnames
+        Specify one or more servers (hostname or hostname:port) separated by
+        commas.
+
+            NNoottee
+
+            With MySQL servers, specify localhost to connect over a UNIX-domain
+            socket, and specify 127.0.0.1 to connect over a TCP socket.
+
+    sql_user
+        The login name to gain access to the database.
+
+    sql_passwd
+        The password to gain access to the database.
+
+    sql_database
+        The name of the database to connect to.
+
+    sql_select
+        The SELECT statement that should retrieve the plaintext password from a
+        database table.
+
+            IImmppoorrttaanntt
+
+            Do not enclose the statement in quotes! Use single quotes to escape
+            macros!
+
+The sql plugin provides macros to build sql_select statements. They will be
+replaced with arguments sent from the client. The following macros are
+available:
+
+    %u
+        The name of the user whose properties are being selected.
+
+    %p
+        The name of the property being selected. While this could technically
+        be anything, Cyrus SASL will try userPassword and cmusaslsecretMECHNAME
+        (where MECHNAME is the name of a SASL mechanism).
+
+    %r
+        The name of the realm to which the user belongs. This could be the
+        KERBEROS realm, the fully-qualified domain name of the computer the
+        SASL application is running on, or the domain after the "@" in a
+        username.
+
+TThhee llddaappddbb pplluuggiinn
+
+The ldapdb auxprop plugin provides access to credentials stored in an LDAP
+server. This plugin requires that SASL client passwords are stored as
+plaintext.
+
+    TTiipp
+
+    If you must store encrypted passwords, you cannot use the ldapdb auxprop
+    plugin. Instead, you can use "saslauthd -a ldap" to query the LDAP database
+    directly, with appropriate configuration in saslauthd.conf, as described
+    here. You will not be able to use any of the methods that require access to
+    plaintext passwords, such as the shared-secret methods CRAM-MD5 and DIGEST-
+    MD5.
+
+The ldapdb plugin implements proxy authorization. This means that the ldapdb
+plugin uses its own username and password to authenticate with the LDAP server,
+before it asks the LDAP server for the remote SMTP client's password. The LDAP
+server then decides if the ldapdb plugin is authorized to read the remote SMTP
+client's password.
+
+In a nutshell: Configuring ldapdb means authentication and authorization must
+be configured twice - once in the Postfix SMTP server to authenticate and
+authorize the remote SMTP client, and once in the LDAP server to authenticate
+and authorize the ldapdb plugin.
+
+This example configures libsasl to use the ldapdb plugin and the plugin to
+connect to an LDAP server:
+
+    /etc/sasl2/smtpd.conf:
+        pwcheck_method: auxprop
+        auxprop_plugin: ldapdb
+        mech_list: PLAIN LOGIN NTLM CRAM-MD5 DIGEST-MD5
+        ldapdb_uri: ldap://localhost
+        ldapdb_id: proxyuser
+        ldapdb_pw: password
+        ldapdb_mech: DIGEST-MD5
+
+    IImmppoorrttaanntt
+
+    Set appropriate permissions if smtpd.conf contains a password. The file
+    should be readable by the postfix user.
+
+    NNoottee
+
+    The shared-secret mechanisms (CRAM-MD5, etc.) require that the SASL client
+    passwords are stored as plaintext.
+
+The following is a summary of applicable smtpd.conf file entries:
+
+    auxprop_plugin
+        Specify ldapdb to enable the plugin.
+
+    ldapdb_uri
+        Specify either ldapi:// to connect over a UNIX-domain socket, ldap:/
+        / for an unencrypted TCP connection, or ldaps:// for an encrypted TCP
+        connection.
+
+    ldapdb_id
+        The login name to authenticate the ldapdb plugin to the LDAP server
+        (proxy authorization).
+
+    ldapdb_pw
+        The password (in plaintext) to authenticate the ldapdb plugin to the
+        LDAP server (proxy authorization).
+
+    ldapdb_mech
+        The mechanism to authenticate the ldapdb plugin to the LDAP server.
+
+            NNoottee
+
+            Specify a mechanism here that is supported by the LDAP server.
+
+    ldapdb_rc (optional)
+        The path to a file containing individual configuration options for the
+        ldapdb LDAP client (libldap). This allows to specify a TLS client
+        certificate which in turn can be used to use the SASL EXTERNAL
+        mechanism.
+
+            NNoottee
+
+            This mechanism supports authentication over an encrypted transport
+            layer, which is recommended if the plugin must connect to an
+            OpenLDAP server on a remote machine.
+
+    ldapdb_starttls (optional)
+        The TLS policy for connecting to the LDAP server. Specify either try or
+        demand. If the option is try the plugin will attempt to establish a
+        TLS-encrypted connection with the LDAP server, and will fallback to an
+        unencrypted connection if TLS fails. If the policy is demand and a TLS-
+        encrypted connection cannot be established, the connection fails
+        immediately.
+
+When the ldapdb plugin connects to the OpenLDAP server and successfully
+authenticates, the OpenLDAP server decides if the plugin user is authorized to
+read SASL account information.
+
+The following configuration gives an example of authorization configuration in
+the OpenLDAP slapd server:
+
+    /etc/openldap/slapd.conf:
+        authz-regexp
+        uid=(.*),cn=.*,cn=auth
+        ldap:///dc=example,dc=com??sub?cn=$1
+        authz-policy to
+
+Here, the authz-regexp option serves for authentication of the ldapdb user. It
+maps its login name to a DN in the LDAP directory tree where slapd can look up
+the SASL account information. The authz-policy options defines the
+authentication policy. In this case it grants authentication privileges "to"
+the ldapdb plugin.
+
+The last configuration step is to tell the OpenLDAP slapd server where ldapdb
+may search for usernames matching the one given by the mail client. The example
+below adds an additional attribute ldapdb user object (here: authzTo because
+the authz-policy is "to") and configures the scope where the login name
+"proxyuser" may search:
+
+    dn: cn=proxyuser,dc=example,dc=com
+    changetype: modify
+    add: authzTo
+    authzTo: dn.regex:uniqueIdentifier=(.*),ou=people,dc=example,dc=com
+
+Use the ldapmodify or ldapadd command to add the above attribute.
+
+    NNoottee
+
+    Read the chapter "Using SASL" in the OpenLDAP Admin Guide for more detailed
+    instructions to set up SASL authentication in OpenLDAP.
+
+EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn aanndd aauutthhoorriizzaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
+
+By default the Postfix SMTP server uses the Cyrus SASL implementation. If the
+Dovecot SASL implementation should be used, specify an smtpd_sasl_type value of
+dovecot instead of cyrus:
+
+    /etc/postfix/main.cf:
+        smtpd_sasl_type = dovecot
+
+Additionally specify how Postfix SMTP server can find the Dovecot
+authentication server. This depends on the settings that you have selected in
+the section "Postfix to Dovecot SASL communication".
+
+  * If you configured Dovecot for UNIX-domain socket communication, configure
+    Postfix as follows:
+
+    /etc/postfix/main.cf:
+        smtpd_sasl_path = private/auth
+
+    NNoottee
+    This example uses a pathname relative to the Postfix queue directory, so
+    that it will work whether or not the Postfix SMTP server runs chrooted.
+
+  * If you configured Dovecot for TCP socket communication, configure Postfix
+    as follows. If Dovecot runs on a different machine, replace 127.0.0.1 by
+    that machine's IP address.
+
+    /etc/postfix/main.cf:
+        smtpd_sasl_path = inet:127.0.0.1:12345
+
+    NNoottee
+    If you specify a remote IP address, information will be sent as plaintext
+    over the network.
+
+EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
+
+Regardless of the SASL implementation type, enabling SMTP authentication in the
+Postfix SMTP server always requires setting the smtpd_sasl_auth_enable option:
+
+    /etc/postfix/main.cf:
+        smtpd_sasl_auth_enable = yes
+
+After a "postfix reload", SMTP clients will see the additional capability AUTH
+in an SMTP session, followed by a list of authentication mechanisms the server
+supports:
+
+    % tteellnneett sseerrvveerr..eexxaammppllee..ccoomm 2255
+    ...
+    220 server.example.com ESMTP Postfix
+    EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
+    250-server.example.com
+    250-PIPELINING
+    250-SIZE 10240000
+    250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
+    ...
+
+However not all clients recognize the AUTH capability as defined by the SASL
+authentication RFC. Some historical implementations expect the server to send
+an "=" as separator between the AUTH verb and the list of mechanisms that
+follows it.
+
+The broken_sasl_auth_clients configuration option lets Postfix repeat the AUTH
+statement in a form that these broken clients understand:
+
+    /etc/postfix/main.cf:
+        broken_sasl_auth_clients = yes
+
+    NNoottee
+
+    Enable this option for Outlook up to and including version 2003 and Outlook
+    Express up to version 6. This option does not hurt other clients.
+
+After "postfix reload", the Postfix SMTP server will propagate the AUTH
+capability twice - once for compliant and once for broken clients:
+
+    % tteellnneett sseerrvveerr..eexxaammppllee..ccoomm 2255
+    ...
+    220 server.example.com ESMTP Postfix
+    EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
+    250-server.example.com
+    250-PIPELINING
+    250-SIZE 10240000
+    250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
+    250-AUTH=DIGEST-MD5 PLAIN CRAM-MD5
+    ...
+
+PPoossttffiixx SSMMTTPP SSeerrvveerr ppoolliiccyy -- SSAASSLL mmeecchhaanniissmm pprrooppeerrttiieess
+
+The Postfix SMTP server supports policies that limit the SASL mechanisms that
+it makes available to clients, based on the properties of those mechanisms. The
+next two sections give examples of how these policies are used.
+
+     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
+    |PPrrooppeerrttyy       |DDeessccrriippttiioonn                                              |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |noanonymous    |Don't use mechanisms that permit anonymous               |
+    |               |authentication.                                          |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |noplaintext    |Don't use mechanisms that transmit unencrypted username  |
+    |               |and password information.                                |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |nodictionary   |Don't use mechanisms that are vulnerable to dictionary   |
+    |               |attacks.                                                 |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |forward_secrecy|Require forward secrecy between sessions (breaking one   |
+    |               |session does not break earlier sessions).                |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |mutual_auth    |Use only mechanisms that authenticate both the client and|
+    |               |the server to each other.                                |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+
+UUnneennccrryypptteedd SSMMTTPP sseessssiioonn
+
+The default policy is to allow any mechanism in the Postfix SMTP server except
+for those based on anonymous authentication:
+
+    /etc/postfix/main.cf:
+        # Specify a list of properties separated by comma or whitespace
+        smtpd_sasl_security_options = noanonymous
+
+    IImmppoorrttaanntt
+
+    Always set at least the noanonymous option. Otherwise, the Postfix SMTP
+    server can give strangers the same authorization as a properly-
+    authenticated client.
+
+EEnnccrryypptteedd SSMMTTPP sseessssiioonn ((TTLLSS))
+
+A separate parameter controls Postfix SASL mechanism policy during a TLS-
+encrypted SMTP session. The default is to copy the settings from the
+unencrypted session:
+
+    /etc/postfix/main.cf:
+        smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
+
+A more sophisticated policy allows plaintext mechanisms, but only over a TLS-
+encrypted connection:
+
+    /etc/postfix/main.cf:
+        smtpd_sasl_security_options = noanonymous, noplaintext
+        smtpd_sasl_tls_security_options = noanonymous
+
+To offer SASL authentication only after a TLS-encrypted session has been
+established specify this:
+
+    /etc/postfix/main.cf:
+        smtpd_tls_auth_only = yes
+
+EEnnaabblliinngg SSAASSLL aauutthhoorriizzaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP sseerrvveerr
+
+After the client has authenticated with SASL, the Postfix SMTP server decides
+what the remote SMTP client will be authorized for. Examples of possible SMTP
+clients authorizations are:
+
+  * Send a message to a remote recipient.
+
+  * Use a specific envelope sender in the MAIL FROM command.
+
+These permissions are not enabled by default.
+
+MMaaiill rreellaayy aauutthhoorriizzaattiioonn
+
+With permit_sasl_authenticated the Postfix SMTP server can allow SASL-
+authenticated SMTP clients to send mail to remote destinations. Examples:
+
+    # With Postfix 2.10 and later, the mail relay policy is
+    # preferably specified under smtpd_relay_restrictions.
+    /etc/postfix/main.cf:
+        smtpd_relay_restrictions =
+            permit_mynetworks
+            ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd
+            reject_unauth_destination
+
+    # Older configurations combine relay control and spam control under
+    # smtpd_recipient_restrictions. To use this example with Postfix >=
+    # 2.10 specify "smtpd_relay_restrictions=".
+    /etc/postfix/main.cf:
+        smtpd_recipient_restrictions =
+            permit_mynetworks
+            ppeerrmmiitt__ssaassll__aauutthheennttiiccaatteedd
+            reject_unauth_destination
+            ...other rules...
+
+EEnnvveellooppee sseennddeerr aaddddrreessss aauutthhoorriizzaattiioonn
+
+By default an SMTP client may specify any envelope sender address in the MAIL
+FROM command. That is because the Postfix SMTP server only knows the remote
+SMTP client hostname and IP address, but not the user who controls the remote
+SMTP client.
+
+This changes the moment an SMTP client uses SASL authentication. Now, the
+Postfix SMTP server knows who the sender is. Given a table of envelope sender
+addresses and SASL login names, the Postfix SMTP server can decide if the SASL
+authenticated client is allowed to use a particular envelope sender address:
+
+    /etc/postfix/main.cf:
+        ssmmttppdd__sseennddeerr__llooggiinn__mmaappss == hhaasshh:://eettcc//ppoossttffiixx//ccoonnttrroolllleedd__eennvveellooppee__sseennddeerrss
+
+        smtpd_recipient_restrictions =
+            ...
+            rreejjeecctt__sseennddeerr__llooggiinn__mmiissmmaattcchh
+            permit_sasl_authenticated
+            ...
+
+The controlled_envelope_senders table specifies the binding between a sender
+envelope address and the SASL login names that own that address:
+
+    /etc/postfix/controlled_envelope_senders
+        # envelope sender           owners (SASL login names)
+        john@example.com            john@example.com
+        helpdesk@example.com        john@example.com, mary@example.com
+        postmaster                  admin@example.com
+        @example.net                barney, fred, john@example.com,
+    mary@example.com
+
+With this, the reject_sender_login_mismatch restriction above will reject the
+sender address in the MAIL FROM command if smtpd_sender_login_maps does not
+specify the SMTP client's login name as an owner of that address.
+
+See also reject_authenticated_sender_login_mismatch,
+reject_known_sender_login_mismatch, and
+reject_unauthenticated_sender_login_mismatch for additional control over the
+SASL login name and the envelope sender.
+
+AAddddiittiioonnaall SSMMTTPP SSeerrvveerr SSAASSLL ooppttiioonnss
+
+Postfix provides a wide range of SASL authentication configuration options. The
+next section lists a few that are discussed frequently. See postconf(5) for a
+complete list.
+
+PPeerr--aaccccoouunntt aacccceessss ccoonnttrrooll
+
+Postfix can implement policies that depend on the SASL login name (Postfix 2.11
+and later). Typically this is used to HOLD or REJECT mail from accounts whose
+credentials have been compromised.
+
+    /etc/postfix/main.cf:
+        smtpd_recipient_restrictions =
+            permit_mynetworks
+            check_sasl_access hash:/etc/postfix/sasl_access
+            permit_sasl_authenticated
+            ...
+
+    /etc/postfix/sasl_access:
+         # Use this when smtpd_sasl_local_domain is empty.
+         username   HOLD
+         # Use this when smtpd_sasl_local_domain=example.com.
+         username@example.com HOLD
+
+DDeeffaauulltt aauutthheennttiiccaattiioonn ddoommaaiinn
+
+Postfix can append a domain name (or any other string) to a SASL login name
+that does not have a domain part, e.g. "john" instead of "john@example.com":
+
+    /etc/postfix/main.cf:
+        smtpd_sasl_local_domain = example.com
+
+This is useful as a default setting and safety net for misconfigured clients,
+or during a migration to an authentication method/backend that requires an
+authentication REALM or domain name, before all SMTP clients are configured to
+send such information.
+
+HHiiddiinngg SSAASSLL aauutthheennttiiccaattiioonn ffrroomm cclliieennttss oorr nneettwwoorrkkss
+
+Some clients insist on using SASL authentication if it is offered, even when
+they are not configured to send credentials - and therefore they will always
+fail and disconnect.
+
+Postfix can hide the AUTH capability from these clients/networks:
+
+    /etc/postfix/main.cf:
+        smtpd_sasl_exceptions_networks = !192.0.2.171/32, 192.0.2.0/24
+
+AAddddiinngg tthhee SSAASSLL llooggiinn nnaammee ttoo mmaaiill hheeaaddeerrss
+
+To report SASL login names in Received: message headers (Postfix version 2.3
+and later):
+
+    /etc/postfix/main.cf:
+        smtpd_sasl_authenticated_header = yes
+
+    NNoottee
+
+    The SASL login names will be shared with the entire world.
+
+TTeessttiinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP SSeerrvveerr
+
+To test the server side, connect (for example, with telnet) to the Postfix SMTP
+server port and you should be able to have a conversation as shown below.
+Information sent by the client (that is, you) is shown in bboolldd font.
+
+    % tteellnneett sseerrvveerr..eexxaammppllee..ccoomm 2255
+    ...
+    220 server.example.com ESMTP Postfix
+    EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
+    250-server.example.com
+    250-PIPELINING
+    250-SIZE 10240000
+    250-ETRN
+    250-AUTH DIGEST-MD5 PLAIN CRAM-MD5
+    250 8BITMIME
+    AAUUTTHH PPLLAAIINN AAHHRRllcc33QQAAddGGVVzzddHHBBhhcc33MM==
+    235 Authentication successful
+
+To test this over a connection that is encrypted with TLS, use openssl s_client
+instead of telnet:
+
+    % ooppeennssssll ss__cclliieenntt --ccoonnnneecctt sseerrvveerr..eexxaammppllee..ccoomm::2255 --ssttaarrttttllss ssmmttpp
+    ...
+    220 server.example.com ESMTP Postfix
+    EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
+    ...see above example for more...
+
+Instead of AHRlc3QAdGVzdHBhc3M=, specify the base64-encoded form of
+\0username\0password (the \0 is a null byte). The example above is for a user
+named `test' with password `testpass'.
+
+    CCaauuttiioonn
+
+    When posting logs of the SASL negotiations to public lists, please keep in
+    mind that username/password information is trivial to recover from the
+    base64-encoded form.
+
+You can use one of the following commands to generate base64 encoded
+authentication information:
+
+  * Using a recent version of the bbaasshh shell:
+
+        % eecchhoo --nnee ''\\000000uusseerrnnaammee\\000000ppaasssswwoorrdd'' || ooppeennssssll bbaassee6644
+
+    Some other shells support similar syntax.
+
+  * Using the pprriinnttff command:
+
+        % pprriinnttff ''\\00%%ss\\00%%ss'' ''uusseerrnnaammee'' ''ppaasssswwoorrdd'' || ooppeennssssll bbaassee6644
+        % pprriinnttff ''\\00%%ss\\00%%ss'' ''uusseerrnnaammee'' ''ppaasssswwoorrdd'' || mmmmeennccooddee
+
+    The mmmmeennccooddee command is part of the metamail software.
+
+  * Using Perl MMIIMMEE::::BBaassee6644 (from http://www.cpan.org/):
+
+        % ppeerrll --MMMMIIMMEE::::BBaassee6644 --ee \\
+            ''pprriinntt eennccooddee__bbaassee6644((""\\00uusseerrnnaammee\\00ppaasssswwoorrdd""));;''
+
+    If the username or password contain "@", you must specify "\@".
+
+  * Using the ggeenn--aauutthh script:
+
+        % ggeenn--aauutthh ppllaaiinn
+        username: uusseerrnnaammee
+        password:
+
+    The ggeenn--aauutthh Perl script was written by John Jetmore and can be found at
+    http://jetmore.org/john/code/gen-auth.
+
+CCoonnffiigguurriinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP//LLMMTTPP cclliieenntt
+
+The Postfix SMTP and the LMTP client can authenticate with a remote SMTP server
+via the Cyrus SASL framework. At this time, the Dovecot SASL implementation
+does not provide client functionality.
+
+    NNoottee
+
+    The examples in this section discuss only the SMTP client. Replace smtp_
+    with lmtp_ to get the corresponding LMTP client configuration.
+
+You can read more about the following topics:
+
+  * Enabling SASL authentication in the Postfix SMTP/LMTP client
+  * Configuring sender-dependent SASL authentication
+  * Postfix SMTP/LMTP client policy - SASL mechanism pprrooppeerrttiieess
+  * Postfix SMTP/LMTP client policy - SASL mechanism nnaammeess
+
+EEnnaabblliinngg SSAASSLL aauutthheennttiiccaattiioonn iinn tthhee PPoossttffiixx SSMMTTPP//LLMMTTPP cclliieenntt
+
+This section shows a typical scenario where the Postfix SMTP client sends all
+messages via a mail gateway server that requires SASL authentication.
+
+    TTrroouubbllee ssoollvviinngg ttiippss::
+
+      * If your SASL logins fail with "SASL authentication failure: No worthy
+        mechs found" in the mail logfile, then see the section "Postfix SMTP/
+        LMTP client policy - SASL mechanism pprrooppeerrttiieess".
+
+      * For a solution to a more obscure class of SASL authentication failures,
+        see "Postfix SMTP/LMTP client policy - SASL mechanism nnaammeess".
+
+To make the example more readable we introduce it in two parts. The first part
+takes care of the basic configuration, while the second part sets up the
+username/password information.
+
+    /etc/postfix/main.cf:
+        smtp_sasl_auth_enable = yes
+        smtp_tls_security_level = encrypt
+        smtp_sasl_tls_security_options = noanonymous
+        relayhost = [mail.isp.example]
+        # Alternative form:
+        # relayhost = [mail.isp.example]:submission
+        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+
+  * The smtp_sasl_auth_enable setting enables client-side authentication. We
+    will configure the client's username and password information in the second
+    part of the example.
+
+  * The smtp_tls_security_level setting ensures that the connection to the
+    remote smtp server will be encrypted, and smtp_sasl_tls_security_options
+    removes the prohibition on plaintext passwords.
+
+  * The relayhost setting forces the Postfix SMTP to send all remote messages
+    to the specified mail server instead of trying to deliver them directly to
+    their destination.
+
+  * In the relayhost setting, the "[" and "]" prevent the Postfix SMTP client
+    from looking up MX (mail exchanger) records for the enclosed name.
+
+  * The relayhost destination may also specify a non-default TCP port. For
+    example, the alternative form [mail.isp.example]:submission tells Postfix
+    to connect to TCP network port 587, which is reserved for email client
+    applications.
+
+  * The Postfix SMTP client is compatible with SMTP servers that use the non-
+    standard "AUTH=mmeetthhoodd....." syntax in response to the EHLO command; this
+    requires no additional Postfix client configuration.
+
+  * With the setting "smtp_tls_wrappermode = yes", the Postfix SMTP client
+    supports the "wrappermode" protocol, which uses TCP port 465 on the SMTP
+    server (Postfix 3.0 and later).
+
+  * With the smtp_sasl_password_maps parameter, we configure the Postfix SMTP
+    client to send username and password information to the mail gateway
+    server. As discussed in the next section, the Postfix SMTP client supports
+    multiple ISP accounts. For this reason the username and password are stored
+    in a table that contains one username/password combination for each mail
+    gateway server.
+
+    /etc/postfix/sasl_passwd:
+        # destination                   credentials
+        [mail.isp.example]              username:password
+        # Alternative form:
+        # [mail.isp.example]:submission username:password
+
+    IImmppoorrttaanntt
+
+    Keep the SASL client password file in /etc/postfix, and make the file
+    read+write only for root to protect the username/password combinations
+    against other users. The Postfix SMTP client will still be able to read the
+    SASL client passwords. It opens the file as user root before it drops
+    privileges, and before entering an optional chroot jail.
+
+  * Use the postmap command whenever you change the /etc/postfix/sasl_passwd
+    file.
+
+  * If you specify the "[" and "]" in the relayhost destination, then you must
+    use the same form in the smtp_sasl_password_maps file.
+
+  * If you specify a non-default TCP Port (such as ":submission" or ":587") in
+    the relayhost destination, then you must use the same form in the
+    smtp_sasl_password_maps file.
+
+CCoonnffiigguurriinngg SSeennddeerr--DDeeppeennddeenntt SSAASSLL aauutthheennttiiccaattiioonn
+
+Postfix supports different ISP accounts for different sender addresses (version
+2.3 and later). This can be useful when one person uses the same machine for
+work and for personal use, or when people with different ISP accounts share the
+same Postfix server.
+
+To make this possible, Postfix supports per-sender SASL passwords and per-
+sender relay hosts. In the example below, the Postfix SMTP client will search
+the SASL password file by sender address before it searches that same file by
+destination. Likewise, the Postfix trivial-rewrite(8) daemon will search the
+per-sender relayhost file, and use the default relayhost setting only as a
+final resort.
+
+    /etc/postfix/main.cf:
+        smtp_sender_dependent_authentication = yes
+        sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
+        smtp_sasl_auth_enable = yes
+        smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
+        relayhost = [mail.isp.example]
+        # Alternative form:
+        # relayhost = [mail.isp.example]:submission
+
+    /etc/postfix/sasl_passwd:
+        # Per-sender authentication; see also /etc/postfix/sender_relay.
+        user1@example.com               username1:password1
+        user2@example.net               username2:password2
+        # Login information for the default relayhost.
+        [mail.isp.example]              username:password
+        # Alternative form:
+        # [mail.isp.example]:submission username:password
+
+    /etc/postfix/sender_relay:
+        # Per-sender provider; see also /etc/postfix/sasl_passwd.
+        user1@example.com               [mail.example.com]:submission
+        user2@example.net               [mail.example.net]
+
+  * If you are creative, then you can try to combine the two tables into one
+    single MySQL database, and configure different Postfix queries to extract
+    the appropriate information.
+
+  * Specify ddbbmm instead of hhaasshh if your system uses ddbbmm files instead of ddbb
+    files. To find out what lookup tables Postfix supports, use the command
+    "ppoossttccoonnff --mm".
+
+  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//ssaassll__ppaasssswwdd" whenever you change
+    the sasl_passwd table.
+
+  * Execute the command "ppoossttmmaapp //eettcc//ppoossttffiixx//sseennddeerr__rreellaayy" whenever you change
+    the sender_relay table.
+
+PPoossttffiixx SSMMTTPP//LLMMTTPP cclliieenntt ppoolliiccyy -- SSAASSLL mmeecchhaanniissmm pprrooppeerrttiieess
+
+Just like the Postfix SMTP server, the SMTP client has a policy that determines
+which SASL mechanisms are acceptable, based on their properties. The next two
+sections give examples of how these policies are used.
+
+     _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
+    |PPrrooppeerrttyy    |DDeessccrriippttiioonn                                                |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |noanonymous |Don't use mechanisms that permit anonymous authentication. |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |noplaintext |Don't use mechanisms that transmit unencrypted username and|
+    |            |password information.                                      |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |nodictionary|Don't use mechanisms that are vulnerable to dictionary     |
+    |            |attacks.                                                   |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+    |mutual_auth |Use only mechanisms that authenticate both the client and  |
+    |            |the server to each other.                                  |
+    |_ _ _ _ _ _ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |
+
+UUnneennccrryypptteedd SSMMTTPP sseessssiioonn
+
+The default policy is stricter than that of the Postfix SMTP server - plaintext
+mechanisms are not allowed (nor is any anonymous mechanism):
+
+    /etc/postfix/main.cf:
+        smtp_sasl_security_options = noplaintext, noanonymous
+
+This default policy, which allows no plaintext passwords, leads to
+authentication failures if the remote server only offers plaintext
+authentication mechanisms (the SMTP server announces "AUTH PLAIN LOGIN"). In
+such cases the SMTP client will log the following error message:
+
+    SASL authentication failure: No worthy mechs found
+
+    NNoottee
+
+    This same error message will also be logged when the libplain.so or
+    liblogin.so modules are not installed in the /usr/lib/sasl2 directory.
+
+The insecure approach is to lower the security standards and permit plaintext
+authentication mechanisms:
+
+    /etc/postfix/main.cf:
+        smtp_sasl_security_options = noanonymous
+
+The more secure approach is to protect the plaintext username and password with
+TLS session encryption. To find out if the remote SMTP server supports TLS,
+connect to the server and see if it announces STARTTLS support as shown in the
+example. Information sent by the client (that is, you) is shown in bboolldd font.
+
+    % tteellnneett sseerrvveerr..eexxaammppllee..ccoomm 2255
+    ...
+    220 server.example.com ESMTP Postfix
+    EEHHLLOO cclliieenntt..eexxaammppllee..ccoomm
+    250-server.example.com
+    250-PIPELINING
+    250-SIZE 10240000
+    250-STARTTLS
+    ...
+
+Instead of port 25 (smtp), specify port 587 (submission) where appropriate.
+
+EEnnccrryypptteedd SSMMTTPP sseessssiioonn ((TTLLSS))
+
+To turn on TLS in the Postfix SMTP client, see TLS_README for configuration
+details.
+
+The smtp_sasl_tls_security_options parameter controls Postfix SASL mechanism
+policy during a TLS-encrypted SMTP session. The default is to copy the settings
+from the unencrypted session:
+
+    /etc/postfix/main.cf:
+        smtp_sasl_tls_security_options = $smtp_sasl_security_options
+
+A more sophisticated policy allows plaintext mechanisms, but only over a TLS-
+encrypted connection:
+
+    /etc/postfix/main.cf:
+        smtp_sasl_security_options = noanonymous, noplaintext
+        smtp_sasl_tls_security_options = noanonymous
+
+PPoossttffiixx SSMMTTPP//LLMMTTPP cclliieenntt ppoolliiccyy -- SSAASSLL mmeecchhaanniissmm nnaammeess
+
+Given the SASL security options of the previous section, the Cyrus SASL library
+will choose the most secure authentication mechanism that both the SMTP client
+and server implement. Unfortunately, that authentication mechanism may fail
+because the client or server is not configured to use that mechanism.
+
+To prevent this, the Postfix SMTP client can filter the names of the
+authentication mechanisms from the remote SMTP server. Used correctly, the
+filter hides unwanted mechanisms from the Cyrus SASL library, forcing the
+library to choose from the mechanisms the Postfix SMTP client filter passes
+through.
+
+The following example filters out everything but the mechanisms PLAIN and
+LOGIN:
+
+    /etc/postfix/main.cf:
+        smtp_sasl_mechanism_filter = plain, login
+
+    NNoottee
+
+    If the remote server does not offer any of the mechanisms on the filter
+    list, authentication will fail.
+
+We close this section with an example that passes every mechanism except for
+GSSAPI and LOGIN:
+
+    /etc/postfix/main.cf:
+        smtp_sasl_mechanism_filter = !gssapi, !login, static:all
+
+BBuuiillddiinngg PPoossttffiixx wwiitthh SSAASSLL ssuuppppoorrtt
+
+As mentioned elsewhere, Postfix supports two SASL implementations: Cyrus SASL
+(SMTP client and server) and Dovecot SASL (SMTP server only). Both
+implementations can be built into Postfix simultaneously.
+
+  * Building Dovecot SASL support
+  * Building Cyrus SASL support
+
+BBuuiillddiinngg DDoovveeccoott SSAASSLL ssuuppppoorrtt
+
+These instructions assume that you build Postfix from source code as described
+in the INSTALL document. Some modification may be required if you build Postfix
+from a vendor-specific source package.
+
+Support for the Dovecot version 1 SASL protocol is available in Postfix 2.3 and
+later. At the time of writing, only server-side SASL support is available, so
+you can't use it to authenticate the Postfix SMTP client to your network
+provider's server.
+
+Dovecot uses its own daemon process for authentication. This keeps the Postfix
+build process simple, because there is no need to link extra libraries into
+Postfix.
+
+To generate the necessary Makefiles, execute the following in the Postfix top-
+level directory:
+
+    % mmaakkee ttiiddyy # if you have left-over files from a previous build
+    % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==''--DDUUSSEE__SSAASSLL__AAUUTTHH \\
+        --DDDDEEFF__SSEERRVVEERR__SSAASSLL__TTYYPPEE==\\""ddoovveeccoott\\""''
+
+After this, proceed with "make" as described in the INSTALL document.
+
+NNoottee
+
+  * The -DDEF_SERVER_SASL_TYPE=\"dovecot\" is not necessary; it just makes
+    Postfix configuration a little more convenient because you don't have to
+    specify the SASL plug-in type in the Postfix main.cf file (but this may
+    cause surprises when you switch to a later Postfix version that is built
+    with the default SASL type of cyrus).
+
+  * If you also want support for LDAP or TLS (or for Cyrus SASL), you need to
+    merge their CCARGS and AUXLIBS options into the above command line; see the
+    LDAP_README and TLS_README for details.
+
+        % mmaakkee ttiiddyy # if you have left-over files from a previous build
+        % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==''--DDUUSSEE__SSAASSLL__AAUUTTHH \\
+            --DDDDEEFF__SSEERRVVEERR__SSAASSLL__TTYYPPEE==\\""ddoovveeccoott\\"" \\
+            ......CCCCAARRGGSS ooppttiioonnss ffoorr LLDDAAPP oorr TTLLSS eettcc........'' \\
+           AAUUXXLLIIBBSS==''......AAUUXXLLIIBBSS ooppttiioonnss ffoorr LLDDAAPP oorr TTLLSS eettcc........''
+
+BBuuiillddiinngg CCyyrruuss SSAASSLL ssuuppppoorrtt
+
+BBuuiillddiinngg tthhee CCyyrruuss SSAASSLL lliibbrraarryy
+
+Postfix works with cyrus-sasl-1.5.x or cyrus-sasl-2.1.x, which are available
+from https://github.com/cyrusimap/cyrus-sasl/releases.
+
+    IImmppoorrttaanntt
+
+    If you install the Cyrus SASL libraries as per the default, you will have
+    to create a symlink /usr/lib/sasl -> /usr/local/lib/sasl for version 1.5.x
+    or /usr/lib/sasl2 -> /usr/local/lib/sasl2 for version 2.1.x.
+
+Reportedly, Microsoft Outlook (Express) requires the non-standard LOGIN and/or
+NTLM authentication mechanism. To enable these authentication mechanisms, build
+the Cyrus SASL libraries with:
+
+    % ..//ccoonnffiigguurree ----eennaabbllee--llooggiinn ----eennaabbllee--nnttllmm
+
+BBuuiillddiinngg PPoossttffiixx wwiitthh CCyyrruuss SSAASSLL ssuuppppoorrtt
+
+These instructions assume that you build Postfix from source code as described
+in the INSTALL document. Some modification may be required if you build Postfix
+from a vendor-specific source package.
+
+The following assumes that the Cyrus SASL include files are in /usr/local/
+include, and that the Cyrus SASL libraries are in /usr/local/lib.
+
+On some systems this generates the necessary Makefile definitions:
+
+Cyrus SASL version 2.1.x
+
+    % mmaakkee ttiiddyy # if you have left-over files from a previous build
+    % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDUUSSEE__SSAASSLL__AAUUTTHH --DDUUSSEE__CCYYRRUUSS__SSAASSLL \\
+        --II//uussrr//llooccaall//iinncclluuddee//ssaassll"" AAUUXXLLIIBBSS==""--LL//uussrr//llooccaall//lliibb --llssaassll22""
+
+    If your Cyrus SASL shared library is in a directory that the RUN-TIME
+    linker does not know about, add a "-Wl,-R,/path/to/directory" option after
+    "-lsasl2".
+
+Cyrus SASL version 1.5.x
+
+    % mmaakkee ttiiddyy # if you have left-over files from a previous build
+    % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDUUSSEE__SSAASSLL__AAUUTTHH --DDUUSSEE__CCYYRRUUSS__SSAASSLL \\
+        --II//uussrr//llooccaall//iinncclluuddee"" AAUUXXLLIIBBSS==""--LL//uussrr//llooccaall//lliibb --llssaassll""
+
+On Solaris 2.x you need to specify run-time link information, otherwise the
+ld.so run-time linker will not find the SASL shared library:
+
+Cyrus SASL version 2.1.x
+
+    % mmaakkee ttiiddyy # remove left-over files from a previous build
+    % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDUUSSEE__SSAASSLL__AAUUTTHH --DDUUSSEE__CCYYRRUUSS__SSAASSLL \\
+        --II//uussrr//llooccaall//iinncclluuddee//ssaassll"" AAUUXXLLIIBBSS==""--LL//uussrr//llooccaall//lliibb \\
+        --RR//uussrr//llooccaall//lliibb --llssaassll22""
+
+Cyrus SASL version 1.5.x
+
+    % mmaakkee ttiiddyy # if you have left-over files from a previous build
+    % mmaakkee mmaakkeeffiilleess CCCCAARRGGSS==""--DDUUSSEE__SSAASSLL__AAUUTTHH --DDUUSSEE__CCYYRRUUSS__SSAASSLL \\
+        --II//uussrr//llooccaall//iinncclluuddee"" AAUUXXLLIIBBSS==""--LL//uussrr//llooccaall//lliibb \\
+        --RR//uussrr//llooccaall//lliibb --llssaassll""
+
+UUssiinngg CCyyrruuss SSAASSLL vveerrssiioonn 11..55..xx
+
+Postfix supports Cyrus SASL version 1.x, but you shouldn't use it unless you
+are forced to. The makers of Cyrus SASL write:
+
+    This library is being deprecated and applications should transition to
+    using the SASLv2 library (source: Project Cyrus: Downloads).
+
+If you still need to set it up, here's a quick rundown:
+
+Read the regular section on SMTP server configurations for the Cyrus SASL
+framework. The differences are:
+
+  * Cyrus SASL version 1.5.x searches for configuration (smtpd.conf) in /usr/
+    lib/sasl/ only. You must place the configuration in that directory. Some
+    systems may have modified Cyrus SASL and put the files into e.g. /var/lib/
+    sasl/.
+
+  * Use the saslpasswd command instead of saslpasswd2 to create users in
+    sasldb.
+
+  * Use the sasldblistusers command instead of sasldblistusers2 to find users
+    in sasldb.
+
+  * In the smtpd.conf file you can't use mech_list to limit the range of
+    mechanisms offered. Instead, remove their libraries from /usr/lib/sasl/
+    (and remember remove those files again when a system update re-installs new
+    versions).
+
+CCrreeddiittss
+
+  * Postfix SASL support was originally implemented by Till Franke of SuSE
+    Rhein/Main AG.
+  * Wietse trimmed down the code to only the bare necessities.
+  * Support for Cyrus SASL version 2 was contributed by Jason Hoos.
+  * Liviu Daia added smtpd_sasl_application_name, separated
+    reject_sender_login_mismatch into
+    reject_authenticated_sender_login_mismatch and
+    reject_unauthenticated_sender_login_mismatch, and revised the docs.
+  * Wietse made another iteration through the code to add plug-in support for
+    multiple SASL implementations, and for reasons that have been lost, also
+    changed smtpd_sasl_application_name into smtpd_sasl_path.
+  * The Dovecot SMTP server-only plug-in was originally implemented by Timo
+    Sirainen of Procontrol, Finland.
+  * Patrick Ben Koetter revised this document for Postfix 2.4 and made much
+    needed updates.
+  * Patrick Ben Koetter revised this document again for Postfix 2.7 and made
+    much needed updates.
+
-- 
cgit v1.2.3