On Fri, Feb 24, 2012 at 04:28:01PM +0000, Kaleb Hosie wrote: > I'm trying to enable postfix to use an SSL certificate for sending > email but when I enable SMTP on my outlook client, I get this > message:
You are misled by the confusing overloading of the various terms relating to transport layer security (TLS). - There are X.509 certificates, otherwise called "SSL certificates" used to authenticate the endpoint of a TLS connection. - There is a communications protocol that used to be called SSL, then renamed to SSLv3 when the prevalent form SSLv2 was found to be weak. This got standardized by the IETF and became TLSv1.0 (aka SSLv3.1). There are now also TLSv1.1 (SSLv3.2) and TLSv1.2 (SSLv3.3). All of these are variously called SSL or TLS. - There are two ways of using SSL/TLS in an application protocol, the first is to define a new service port for the application and start all connections to the alternate port with an SSL handshake. Mail clients confusingly call this "SSL". The second is to use a single port for both encrypted and unencrypted traffic and to define an application-specific mechanism to negotiate a transition from plaintext to encryption. This mechanism is usually called "STARTTLS", but mail clients confusingly call it "TLS". All you want is a secure connection, but your mail client wants to know whether it will use encryption right away (which it will call SSL) or negotiate via "STARTTLS" (which it will call TLS). Since for SMTP the "SSL" variant is deprecated and non-standard and STARTTLS is the standard way to encrypt the transport, you should be using "TLS" (that is "STARTTLS") in most cases, with SSL certs and the SSL/TLS protocol (negotiated inside SMTP). > If I use TLS as an encryption method rather than SSL, it works. Good. Do that and you're all set. > smtpd_use_tls = yes > smtpd_tls_security_level = may > smtpd_tls_cert_file = /etc/pki/tls/certs/stopspam.nicanada.com.crt > smtpd_tls_key_file = /etc/pki/tls/certs/stopspam.nicanada.com.key > > I have also added the following in my master.cf file as well: > smtps inet n - n - - smtpd > -o smtpd_tls_wrappermode=yes > -o smtpd_sasl_auth_enable=yes > -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > Any ideas why it is not working? You've probably not told the client to use port 465. On either 25 or 587 you're likely offering STARTTLS. I would disable the "smtps" service unless your clients are a decade out of date and can't STARTTLS. -- Viktor.