Maysaslserver, mustsaslserver, nosasl, nosaslserver, saslswitchchannel, nosaslswitchchannel, disconnectbadauthlimit Channel Options

From MsgServerDocWiki

SMTP authentication and SASL (maysaslserver, mustsaslserver, nosasl, nosaslserver, saslswitchchannel, nosaslswitchchannel, disconnectbadauthlimit)

The maysaslserver, mustsaslserver, nosasl, nosaslserver, saslswitchchannel, and nosaslswitchchannel channel options are used to configure SASL use, specifically the use of the AUTH command, during the SMTP protocol by SMTP based channels such as TCP/IP channels. nosasl is the default, and means that SASL authentication will not be permitted or attempted. It subsumes nosaslserver, which means that SASL authentication will not be permitted. Specifying maysaslserver will cause the SMTP server to permit clients to attempt to use SASL authentication. Specifying mustsaslserver will cause the SMTP server to insist that clients use SASL authentication: the SMTP server will not accept messages unless the remote client successfully authenticates; unless authentication has been performed, the SMTP server will issue an error to any attempted MAIL FROM: command of:

530 5.7.0 No AUTH command has been given. 

The saslswitchchannel channel option is used to cause incoming connections to be switched to a specified channel upon a client's successful SASL use. It takes a required value, specifying the channel to which to switch. nosaslswitchchannel is the default, and means that channel switching is not performed upon a client's successful SASL use.

See also the mailSMTPSubmitChannel user LDAP attribute, which when set on a user entry will cause channel "switching" to the specified channel; it thus permits "finer-grained" channel switching that saslswitchchannel which merely switches all authenticated submissions to a particular named channel.

See also the (new in 6.3) userswitchchannel channel option which, in conjunction with site-selected user or domain LDAP attributes, also allows "fine-grained" channel switching, in this case based merely on the purported From: address.

The saslswitchchannel channel option is typically used when it is desired to distinguish between authenticated vs. unauthenticated submissions as a class; the mailSMTPSubmitChannel user LDAP attribute is typically used when it is desired to securely distinguish submissions from particular users (say to allow "special privileges" to particular users); the (new in Poblano) userswitchchannel channel option and associated LDAP attribute(s) are typically used when it is desired to make esthetic distinctions (rather than more critical "secure" distinctions) on users' submissions without requiring authenticated verification of the sender address.

New in 6.2 is the disconnectbadauthlimit channel option, applicable to source channels. It takes a (required) integer argument, specifying an upper limit on the number of bad (failed) SMTP AUTH attempts that will be permitted during a single SMTP session (connection). Once a client's unsuccessful SMTP AUTH attempts reaches the specified number, the SMTP server will close the connection after rejecting the SMTP AUTH attempt, and issuing an SMTP error with "(bad authentication limit reached; disconnecting)" rejection text.

Note that client configuration may be required in order to get clients to make use of the MTA's SMTP AUTH support (that is, to get clients to attempt to authenticate). For instance, in order for Messenger Express (Webmail) and Communications Express (UWC) to use SMTP AUTH (SASL), one must set the configutil http parameters smtpauthuser and smtpauthpassword to the user ID (and corresponding password) of a store administrator (a user who exists in the store.admins list---for instance, admin). (This will cause the mshttpd server to use the specified credentials to "vouch" for the identity of the sending user---who in turn has already had to login to mshttpd.)