Just a point of clarification... port 465 isn't "deprecated" because it was never formerly assigned by IANA.
It was highjacked by some mailer (I forget which) and when 587 was assigned, it was agreed to stop using the former port. As for one of your questions, it's assumed that 465 comes up with SSL turned on by default, and that it doesn't come up in the clear with STARTTLS turning TLS on. And "plain" sends the password in the clear, but "login" sends it hashed. I.e. you need: pwcheck_method: saslauthd mech_list: plain login in your /etc/sasl2/smtp.conf file... or you can change "mech_list" to only "login", or even "digest-md5" and "cram-md5" (as we do here) with TB using "Encrypted password" as the authentication type. -Philip On 12/7/11 5:49 PM, Grant wrote: > I've been using smtps on port 465 for sending mail but I read it's > deprecated so I'm trying to switch to submission port 587. > > With 465 I was using the "Connection security: SSL/TLS" setting in > Thunderbird, but after switching to 587 I can't send mail unless I > change it to STARTTLS. Can anyone explain this? Should I be using > STARTTLS instead of SSL/TLS for courier 993? > > Whether using 465 or 587, I noticed I can't log in to send mail from > my mail clients unless the password is sent unencrypted. Is that OK > since I'm using STARTTLS or should I also enable encryption of the > password? > > Previously in master.cf I was running smtps like this: > > smtps inet n - n - - smtpd > -o smtpd_tls_wrappermode=yes > # -o smtpd_sasl_auth_enable=yes > # -o smtpd_client_restrictions=permit_sasl_authenticated,reject > # -o milter_macro_daemon_name=ORIGINATING > > Should I enable all of this for submission: > > submission inet n - n - - smtpd > -o smtpd_tls_security_level=encrypt > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > -o milter_macro_daemon_name=ORIGINATING > > I don't think I need milter_macro_daemon_name since I'm not using a > mail filter. I am running saslauthd but it looks like I didn't have > it enabled for smtps previously. I'm surprised because I thought I > required authentication in order to use smtps. > > Here is most of the non-default stuff from main.cf: > > smtpd_sasl_auth_enable = yes > smtpd_sasl2_auth_enable = yes > smtpd_sasl_security_options = noanonymous > smtpd_sasl_local_domain = > > smtpd_recipient_restrictions = > permit_sasl_authenticated, > permit_mynetworks, > reject_unauth_destination, > permit > > postscreen_greet_action = enforce > postscreen_pipelining_enable = yes > postscreen_pipelining_action = enforce > postscreen_non_smtp_command_enable = yes > postscreen_non_smtp_command_action = enforce > postscreen_bare_newline_enable = yes > postscreen_bare_newline_action = enforce > > smtpd_tls_security_level = may > smtpd_tls_auth_only = yes > > Thanks to anyone who can help me out with this or point out any > deficiencies/stupidities in my config. > > - Grant
