On Fri, Feb 24, 2012 at 04:28:01PM +0000, Kaleb Hosie wrote:
> I'm trying to enable postfix to use an SSL certificate for sending
> email but when I enable SMTP on my outlook client, I get this
> message:
You are misled by the confusing overloading of the various terms
relating to transport layer security (TLS).
- There are X.509 certificates, otherwise called "SSL certificates"
used to authenticate the endpoint of a TLS connection.
- There is a communications protocol that used to be called SSL, then
renamed to SSLv3 when the prevalent form SSLv2 was found to be weak.
This got standardized by the IETF and became TLSv1.0 (aka SSLv3.1).
There are now also TLSv1.1 (SSLv3.2) and TLSv1.2 (SSLv3.3). All of these
are variously called SSL or TLS.
- There are two ways of using SSL/TLS in an application protocol, the
first is to define a new service port for the application and start
all connections to the alternate port with an SSL handshake. Mail
clients confusingly call this "SSL". The second is to use a single
port for both encrypted and unencrypted traffic and to define an
application-specific mechanism to negotiate a transition from
plaintext to encryption. This mechanism is usually called "STARTTLS",
but mail clients confusingly call it "TLS".
All you want is a secure connection, but your mail client wants to know
whether it will use encryption right away (which it will call SSL) or
negotiate via "STARTTLS" (which it will call TLS).
Since for SMTP the "SSL" variant is deprecated and non-standard and
STARTTLS is the standard way to encrypt the transport, you should be
using "TLS" (that is "STARTTLS") in most cases, with SSL certs and
the SSL/TLS protocol (negotiated inside SMTP).
> If I use TLS as an encryption method rather than SSL, it works.
Good. Do that and you're all set.
> smtpd_use_tls = yes
> smtpd_tls_security_level = may
> smtpd_tls_cert_file = /etc/pki/tls/certs/stopspam.nicanada.com.crt
> smtpd_tls_key_file = /etc/pki/tls/certs/stopspam.nicanada.com.key
>
> I have also added the following in my master.cf file as well:
> smtps inet n - n - - smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> Any ideas why it is not working?
You've probably not told the client to use port 465. On either 25 or
587 you're likely offering STARTTLS.
I would disable the "smtps" service unless your clients are a decade
out of date and can't STARTTLS.
--
Viktor.
