Ken Hornstein <[email protected]> wrote: >> I read through mts.conf man page and even into mts/smtp/smtp.c, and I >> honestly can't really figure if/when it picks submission over port-25.
> Well, I won't go into the history but we changed this default a while
It makes sense that it's the default, I'm just saying that it's not clearly
stated.
I don't really care to set the port; I'm not sure if I set it to 25, if that
would just work. I guess it probably would do the right thing.
>> I don't think we suport TLS client authentication at all for
>> submissions. I presently run postfix on localhost, and then I
>> smarthost via authenticated SMTP on port 26. Because port-25 would be
>> blocked. Perhaps I ought move to sending to my smarthost via
>> submissions port, but I'd want to use TLS client
>> authentication/authorization.
> What, EXACTLY, do you mean by "TLS client authentication"?
> Do we support client certificate submission during TLS
> negotation? No. If this is what you want ... well, I'm a little
> surprised, as I work in an environment that makes heavy use of TLS
> client certificates and as far as I know this is never done for SMTP
> (web servers, yes, but SMTP, no). I would have to look at what it
Yes, it never took off, but I've been using this for 25+ years.
Long before submission port was a thing.
I do this via postfix, and
relay_clientcerts = hash:/etc/postfix/relayclients
listing the fingerprints of the certificates I want to bless.
I used to do this via the CA, but that was annoying to get right, and it
interacts poorly with opportunistic TLS for SMTP.
> would take to add that. I imagine there are a few bits of magic you
> need to tell the TLS library where the certificate and private key are
> located. I have a question: do you specify the SASL EXTERNAL mechanism
> if you are doing this?
Not with postfix. It's been a thing for decades.
No SASL. It's not using submissions port or SMTP AUTH.
signature.asc
Description: PGP signature
