Re: Testing out SMTPS

Mon, 04 Feb 2013 13:08:39 -0800 


On 02/04/2013 03:47 PM, Noel Jones wrote:

On 2/4/2013 12:27 PM, Robert Moskowitz wrote:

I am into final tuning of my mail server, and I greatly appreciate
all the help I have received from the many lists I have had to go to
for help.  I am now at actual external testing, starting out with
some free mail test servers.  Right now I am trying out:

http://www.emailsecuritygrader.com

And from there I became aware that I probably don't have SMTPS (port
465) configured properly.  Actually at first I did not even have it
set up!  So I reread the readme:

http://www.postfix.org/TLS_README.html

And add:

/etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache

/etc/postfix/master.cf:
smtps    inet  n       -       n       -       -       smtpd
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes

The smtps port should be reserved for authorized users only -- just
like the submission port -- and never used for general-purpose email.

Generally you would add something like
   -o smtpd_recipient_restrictions=$submission_recipient_restrictions
I will look into this. My setup uses virutal domains and mysql for the users, so a list may be contrived. But also the implication is that users would have to ask me for this method of connectivity which has its merits. 



and then in main.cf add
submission_recipient_restrictions =
   permit_sasl_authenticated
   reject


thanks I will review this.





and restarted postfix

And tried to telnet into localhost 465.  All I get is:


This is an encrypted connection and can't be tested with telnet.
You can test it with openssl:

openssl s_client -connect server.example.com:465
Grumple. I did this to test out secure IMAP for dovecot. Obvious once my nose is stuck in it. Thanks. 


If you get the postfix greeting banner, it's working properly.

But be aware that smtps is deprecated and you probably shouldn't
bother enabling it unless you need it to support legacy clients.
Good to know. I kind of got that feeling from the TLS_README that it was for older OE clients, and I have one of those. A reason for them to move up. Hopefully.

Reply via email to