smtp auth over ssl for smartrelay configuration
in [Postfix]
|
From: Jelle de Jong on 23 Jan 2010 11:59 Victor Duchovni wrote, on 23-01-10 17:48: > On Sat, Jan 23, 2010 at 05:31:47PM +0100, Jelle de Jong wrote: > >> postconf -e 'smtp_tls_security_level = encrypt' > > Is this SMTP client going to send all mail to a small set of TLS enabled > relay hosts? Or are you choosing to not be able to send any email to > the vast majority of domains whose MX hosts don't offer TLS? The system is a satellite system that is only sending mail to one secure mail server, the mailrelay is only affable for smtp auth over ssl. the hostname of the sender will fail every sane check if it sent to other machines, because it has no fixed ip, and is behind a series of nat's. >> postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' > > Why disable both SSLv2 and TLSv1?! Leave this setting at its default > value, or disable just SSLv2. Does your client or server correctly handle > SSLv3, but fail to interoperate via TLSv1? Well my server supports SSLv3 just fine, so I thought I disable everything lower, and if better protocols come around postfix will update and will still be able to use the newer stuff since I did not force it to only use SSLv3. >> Hope that helps some people :) > > And does not mislead too many. A tutorial needs to not only provide > working settings, but also explain the use-case to which they apply > and why the settings are the right ones to the use-case at hand. All true, that sad the pointer I gave were not related to above and the documentation handles these points quite well. Best regards, Jelle
From: Victor Duchovni on 23 Jan 2010 11:48 On Sat, Jan 23, 2010 at 05:31:47PM +0100, Jelle de Jong wrote: > postconf -e 'smtp_tls_security_level = encrypt' Is this SMTP client going to send all mail to a small set of TLS enabled relay hosts? Or are you choosing to not be able to send any email to the vast majority of domains whose MX hosts don't offer TLS? > postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' Why disable both SSLv2 and TLSv1?! Leave this setting at its default value, or disable just SSLv2. Does your client or server correctly handle SSLv3, but fail to interoperate via TLSv1? > Hope that helps some people :) And does not mislead too many. A tutorial needs to not only provide working settings, but also explain the use-case to which they apply and why the settings are the right ones to the use-case at hand. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: Jelle de Jong on 25 Jan 2010 08:56 Victor Duchovni wrote, on 23-01-10 20:27: > On Sat, Jan 23, 2010 at 05:59:37PM +0100, Jelle de Jong wrote: > >>>> postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' >>> Why disable both SSLv2 and TLSv1?! Leave this setting at its default >>> value, or disable just SSLv2. Does your client or server correctly handle >>> SSLv3, but fail to interoperate via TLSv1? >> Well my server supports SSLv3 just fine, so I thought I disable >> everything lower, and if better protocols come around postfix will >> update and will still be able to use the newer stuff since I did not >> force it to only use SSLv3. > > The default settings for advanced TLS features were chosen with care. > It is unwise to change them unless you are a TLS expert. TLSv 1.0 is > SSL 3.1. TLS 1.1 is SSL 3.2, ... There is no plan for TLSv2 at this > time, but it would be SSL version 4. > > Don't change advanced TLS settings until you have read the relevant > OpenSSL documentation and/or RFCs and in some cases the OpenSSL source > code (sadly OpenSSL documentation is not as complete as the Postfix > documentation). Thanks for the explanations, I changed the settings back to it's defaults. Does somebody know the differences between using SSL over port 465 and TLS over port 25 in the settings for the Debian icedove MUA? (I want to make postfix use port 465 for its smtp auth mailrelaying) Thanks in advance, Kind regards, Jelle
From: Charles Marcus on 25 Jan 2010 11:14 On 2010-01-25 8:56 AM, Jelle de Jong wrote: > Does somebody know the differences between using SSL over port 465 > and TLS over port 25 in the settings for the Debian icedove MUA? (I > want to make postfix use port 465 for its smtp auth mailrelaying) SMTPS over Port 465 is deprecated. Best is TLS on the submission port - 587. -- Best regards, Charles
From: Noel Jones on 25 Jan 2010 12:05
On 1/25/2010 7:56 AM, Jelle de Jong wrote: > Does somebody know the differences between using SSL over port 465 and > TLS over port 25 in the settings for the Debian icedove MUA? (I want > to make postfix use port 465 for its smtp auth mailrelaying) There's some overlap of terms here -- it's understandable to be confused. First, SSL vs. TLS can refer to the encryption standard. SSL is the name first used for https: web encryption. As the protocol matured and became a standard, it was renamed to TLS. Secondly, SSL vs. TLS can refer to *when* the encryption takes place. The older SSL was commonly (at first, only) used as a "wrapper"; the encrypted tunnel was established before any other communication took place, and the communications were wrapped in the encryption protocol. Newer TLS allows a standard connection to be made, then request an encrypted tunnel be created. This allows both encrypted and non-encrypted traffic to co-exist on the same port. With email, SSL usually refers to wrapper mode SSL over port 465 -- negotiate the encrypted connection before sending any data. This was never a standard protocol, and has been deprecated for many years. And even though it's called SSL it commonly uses the newer TLS encryption. So most mail clients expect wrapper mode when you click the "SSL" box, but will have a separate "TLS" or "encrypt this connection" box to enable standard STARTTLS support. It doesn't help that everyone seems to call it something different. Some older mail programs only support wrapper mode SSL, so the postfix smtpd server can receive mail from such clients with the "-o smtpd_tls_wrappermode=yes" option in master.cf on a dedicated port, commonly 465. The postfix default master.cf includes a commented-out entry for this. http://www.postfix.org/TLS_README.html#server_enable The postfix smtp client does not support sending mail using the deprecated wrapper mode. If postfix must send mail to an antique server that only supports wrapper mode, you can use stunnel to create a wrapper. An example is in the documentation: http://www.postfix.org/TLS_README.html#client_smtps TLS over port 25 or 587 establishes a normal SMTP connection and then issues the STARTTLS command (usually as the first command sent) to establish encryption. This is fully supported by postfix, and by virtually all other modern mail software. And even though it's called TLS, clients are still allowed to use older SSL encryption. Documentation here: http://www.postfix.org/TLS_README.html -- Noel Jones |