Re: Configuring TLS with sender login maps

Sat, 02 Apr 2011 14:18:05 -0700 

On 04/02/2011 10:11 PM, Reindl Harald wrote:


Am 02.04.2011 21:58, schrieb Jeroen Geilman:

   

On 04/02/2011 09:50 PM, Alex wrote:


     

Okay, I think I have it working correctly now. I believe my mistake
was with using the incorrect ports for authentication.

       

Authentication doesn't have a "port" - it is an integral part of the SMTP 
protocol.


     

I think I may
not fully understand the logic behind the whole process still,
however.

I've changed smtpd_tls_security_level to 'may' from 'encrypt' in
main.cf because it also needs to be able to accept mail from non-TLS
authenticated clients (which are actually other postfix servers) in
addition to my K9 android mail client.


       

You shouldn't run TLS at all on port 25 if you're not using it for submission - 
and there is no reason to do so

     

sorry but that is nonsense
YOU SHOULD ENABLE IT OR YOU CAN DISABLE SSL ON IMAP/POP3 TOO

   

I see Mr Reindl is butting his big mouth in again.
I "should" do nothing.


If the OP is running normal SMTP on port 25, then TLS is an added 
complexity, and one he is apparently not sufficiently prepared for; so 
if he can avoid it, I would advise him to do so.



what sense makes it to encrypt receiving messages over ssl with
your client as long other mail-servers deliver thmen
unencrypted?

   



Because the primary value of TLS on a mail client is to be able to send 
encrypted login information, and prevent sniffing on local LAN networks.


The majority of the internet is not sending encrypted mail between MTAs.


if you wuld like encrypted services EVERY host and protocol which is
involved should support TLS or you can disable it completly

   


I can only repeat that your preposterous "SHOULD" demands are silly.
Guaranteed end-to-end encryption is not a job for the MTA.
Use PGP or GPG to achieve message confidentiality.


secuity level "may" is correct because not every host supports encryption
but if the host support it tls should be used, so the message is encrypted
from one client to the receiver, least you minimize the count
of unencrypted hops

   

..but that's utter bullshit, since you yourself said that encryption is 
worthless unless ALL hops use it.

Now you're saying "oh, it's okay if they don't, but try to minimize them" ?

Make up your mind.


--
J.























					Reply via email to