On 2/4/2013 12:27 PM, Robert Moskowitz wrote: > I am into final tuning of my mail server, and I greatly appreciate > all the help I have received from the many lists I have had to go to > for help. I am now at actual external testing, starting out with > some free mail test servers. Right now I am trying out: > > http://www.emailsecuritygrader.com > > And from there I became aware that I probably don't have SMTPS (port > 465) configured properly. Actually at first I did not even have it > set up! So I reread the readme: > > http://www.postfix.org/TLS_README.html > > And add: > > /etc/postfix/main.cf > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache > > /etc/postfix/master.cf: > smtps inet n - n - - smtpd > -o smtpd_tls_wrappermode=yes > -o smtpd_sasl_auth_enable=yes
The smtps port should be reserved for authorized users only -- just like the submission port -- and never used for general-purpose email. Generally you would add something like -o smtpd_recipient_restrictions=$submission_recipient_restrictions and then in main.cf add submission_recipient_restrictions = permit_sasl_authenticated reject > > and restarted postfix > > And tried to telnet into localhost 465. All I get is: This is an encrypted connection and can't be tested with telnet. You can test it with openssl: openssl s_client -connect server.example.com:465 If you get the postfix greeting banner, it's working properly. But be aware that smtps is deprecated and you probably shouldn't bother enabling it unless you need it to support legacy clients. -- Noel Jones
