Scott Haneda wrote, at 04/30/2009 10:11 PM: > What happens is, under heavy MTA load on port 25, I will run out of > connection slots on port 25.
Have you investigated the nature of this problem? > By moving users to 587, I do not care > about port 25 connection slots. MTA's will try again later if busy. You might be chasing a red herring. If your server is overloaded, there is a reason why, and there may be more effective remediation techniques available. Improving your submission service is good, but it might not deliver the performance payoff you're expecting. > What do you guys think? > > My end goal here is to get this all working, and then change these ports > to, for example, 25 -> 2525 and 587 -> 587587 unless there is some other > convention. I am going to put a anti spam proxy in front of all this. If you still have a heavy load, consider separating your MX entirely from submission, using separate instances/machines. It's generally easier to move the MX, since MUA configurations don't care about it. > I just do not want to add too much to my learning curve, so first, get > postfix to where I understand it, then toggle the ports and put the > proxy in. It should blindly pass the traffic, I assume in much the same > way stunnel does. > > I am open to any and all advice on this matter to make this work best. > I have a feeling later on down the road I will need to learn exactly > what things to disable in postfix, as it should not do any bouncing at > all, anything that will lead to backsplatter, since I am putting a proxy > ahead of it. FWIW, a poorly implemented proxy can do more harm than good. A lot of sites just toss them in, and don't pay attention to finer details like DNS settings and recipient validation. > I am still not entirely clear. The docs: > I am still not entirely clear. The docs: "Do not configure client > certificates unless you must present client TLS certificates to one or > more servers. Client certificates are not usually needed, and can > cause > problems in configurations that work well without them. The > recommended > setting is to let the defaults stand" > > That supports your statement. What is confusing, is most of the > tutorials for setting up Postfix have a section on setting these up. Trust the Postfix documentation, not random tutorials. > Indeed, the ones I set up used a specific host name, and when I smtp, > or pop or imap, I am asked to authorize the self signed cert, as at this > time I do not have a purchased cert from a CA. That's something else. You get that prompt from the server certificate (smtpd_tls_cert_file), which you need. That is different from the client certificate (smtp_tls_cert_file), which you obviously don't need. > What is the correct way to not use certs for MTA's, but to present one > to the MUA? > >> # server TLS parameters >> smtpd_tls_key_file = /etc/ssl/yoshino.meidokon.net_key >> smtpd_tls_cert_file = /etc/ssl/yoshino.meidokon.net_crt >> smtpd_tls_auth_only = yes <-- as mentioned, user can only auth on a >> secure connection >> smtpd_tls_loglevel = 1 >> smtpd_tls_received_header = yes > > You have the two cert, ahhh, smtp*d*. Ok, I think I get it, that is for > MUA traffic, and you present them a cert authorization when they are > auth'ing. So I can even use the current certs I have in place now? These are for all client connections that use STARTTLS, not just MUAs. The difference is that MTAs typically don't quit if they can't verify the cert (check it against a root certificate store), so using a self-signed cert is adequate. It is increasingly harder to support MUAs with noncommercial certs, however. You can get basic ones fairly cheaply, so I recommend it to avoid annoying warnings to your users. >> # client TLS parameters, forward mail via TLS if possible >> smtp_tls_security_level = may > > I had this one already I believe. This is what you need for your server to connect *as a client* to other MTAs, opportunistically using STARTTLS when offered. > The wrapper mode is probably a Outlook issue, or at least an older buggy > MUA client issue? I do not have any easy access to Outlook. How do you > go about testing before deployment? Don't set it up until you have everything else working properly (TLS, submission, etc.). Then wait until you find a need for it. Normally, the Postfix defaults in master.cf will suffice (assuming your distribution hasn't fiddled with them). > smtp_tls_cert_file = /opt/local/etc/ssl/certs/dovecot.pem > smtp_tls_key_file = /opt/local/etc/ssl/private/dovecot.pem Remove. > smtp_tls_security_level = may Keep. > smtp_tls_session_cache_database = > btree:$data_directory/smtp_tls_session_cache Keep if you need it. > smtpd_sasl_security_options = noanonymous Change to noanonymous, noplaintext if you don't want passwords sent in the clear. > smtpd_tls_ask_ccert = yes Why? > smtpd_tls_cert_file = /opt/local/etc/ssl/certs/postfix.pem > smtpd_tls_key_file = /opt/local/etc/ssl/private/postfix.pem Keep. > smtpd_tls_loglevel = 0 Adjust when troubleshooting. > smtpd_tls_received_header = yes > smtpd_tls_security_level = may Keep. > smtpd_tls_session_cache_database = > btree:$data_directory/smtpd_tls_session_cache Keep if you need it. > tls_random_source = dev:/dev/urandom Probably the default. It's generally a good thing, because /dev/urandom is nonblocking. Some systems might use /dev/random, which blocks and can hurt performance in low entropy environments (opinion on security implications is mixed). > submission inet n - n - > - smtpd > -o smtpd_tls_security_level=may > -o smtpd_tls_auth_only=no > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated IMHO, too weak for port 587. > 465 inet n - n - > - smtpd > -o smtpd_tls_wrappermode=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated Don't use smtps port 465 unless you need it. Here's an example from one of my servers: submission inet n - n - - smtpd -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
