Re: smtp auth over ssl for smartrelay configuration
Victor Duchovni wrote, on 23-01-10 20:27: On Sat, Jan 23, 2010 at 05:59:37PM +0100, Jelle de Jong wrote: postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' Why disable both SSLv2 and TLSv1?! Leave this setting at its default value, or disable just SSLv2. Does your client or server correctly handle SSLv3, but fail to interoperate via TLSv1? Well my server supports SSLv3 just fine, so I thought I disable everything lower, and if better protocols come around postfix will update and will still be able to use the newer stuff since I did not force it to only use SSLv3. The default settings for advanced TLS features were chosen with care. It is unwise to change them unless you are a TLS expert. TLSv 1.0 is SSL 3.1. TLS 1.1 is SSL 3.2, ... There is no plan for TLSv2 at this time, but it would be SSL version 4. Don't change advanced TLS settings until you have read the relevant OpenSSL documentation and/or RFCs and in some cases the OpenSSL source code (sadly OpenSSL documentation is not as complete as the Postfix documentation). Thanks for the explanations, I changed the settings back to it's defaults. Does somebody know the differences between using SSL over port 465 and TLS over port 25 in the settings for the Debian icedove MUA? (I want to make postfix use port 465 for its smtp auth mailrelaying) Thanks in advance, Kind regards, Jelle
Re: smtp auth over ssl for smartrelay configuration
On 2010-01-25 8:56 AM, Jelle de Jong wrote: Does somebody know the differences between using SSL over port 465 and TLS over port 25 in the settings for the Debian icedove MUA? (I want to make postfix use port 465 for its smtp auth mailrelaying) SMTPS over Port 465 is deprecated. Best is TLS on the submission port - 587. -- Best regards, Charles
Re: smtp auth over ssl for smartrelay configuration
On 1/25/2010 7:56 AM, Jelle de Jong wrote: Does somebody know the differences between using SSL over port 465 and TLS over port 25 in the settings for the Debian icedove MUA? (I want to make postfix use port 465 for its smtp auth mailrelaying) There's some overlap of terms here -- it's understandable to be confused. First, SSL vs. TLS can refer to the encryption standard. SSL is the name first used for https: web encryption. As the protocol matured and became a standard, it was renamed to TLS. Secondly, SSL vs. TLS can refer to *when* the encryption takes place. The older SSL was commonly (at first, only) used as a wrapper; the encrypted tunnel was established before any other communication took place, and the communications were wrapped in the encryption protocol. Newer TLS allows a standard connection to be made, then request an encrypted tunnel be created. This allows both encrypted and non-encrypted traffic to co-exist on the same port. With email, SSL usually refers to wrapper mode SSL over port 465 -- negotiate the encrypted connection before sending any data. This was never a standard protocol, and has been deprecated for many years. And even though it's called SSL it commonly uses the newer TLS encryption. So most mail clients expect wrapper mode when you click the SSL box, but will have a separate TLS or encrypt this connection box to enable standard STARTTLS support. It doesn't help that everyone seems to call it something different. Some older mail programs only support wrapper mode SSL, so the postfix smtpd server can receive mail from such clients with the -o smtpd_tls_wrappermode=yes option in master.cf on a dedicated port, commonly 465. The postfix default master.cf includes a commented-out entry for this. http://www.postfix.org/TLS_README.html#server_enable The postfix smtp client does not support sending mail using the deprecated wrapper mode. If postfix must send mail to an antique server that only supports wrapper mode, you can use stunnel to create a wrapper. An example is in the documentation: http://www.postfix.org/TLS_README.html#client_smtps TLS over port 25 or 587 establishes a normal SMTP connection and then issues the STARTTLS command (usually as the first command sent) to establish encryption. This is fully supported by postfix, and by virtually all other modern mail software. And even though it's called TLS, clients are still allowed to use older SSL encryption. Documentation here: http://www.postfix.org/TLS_README.html -- Noel Jones
smtp auth over ssl for smartrelay configuration
Hello everybody, I got a hole set 20 of Debian systems connected to mobile broadband internet. They are behind a NAT of with dynamic ip's. I want these systems to be able to sent emails to my server for all kind of reasons like monitoring, security updates etcetera. I want to use postfix to authorise to my secured SMTP server to be able to deliver mail. The authorisation should be like the one's used on my MTA's like Mozilla Thunderbird with SMTP authorisation. Configuration option I made up: authuser=usern...@powercraft.nl authpass=password authmethod=plain mailhub=secure.powercraft.nl:465 usessl=true Can somebody show me an example how to setup up a simple outgoing only email configuration that uses SMTP AUTH over SSL? Thanks in advance, Kind regards, Jelle
Re: smtp auth over ssl for smartrelay configuration
Jelle de Jong: Hello everybody, I got a hole set 20 of Debian systems connected to mobile broadband internet. They are behind a NAT of with dynamic ip's. I want these systems to be able to sent emails to my server for all kind of reasons like monitoring, security updates etcetera. I want to use postfix to authorise to my secured SMTP server to be able to deliver mail. The authorisation should be like the one's used on my MTA's like Mozilla Thunderbird with SMTP authorisation. Configuration option I made up: authuser=usern...@powercraft.nl authpass=password authmethod=plain mailhub=secure.powercraft.nl:465 usessl=true Can somebody show me an example how to setup up a simple outgoing only email configuration that uses SMTP AUTH over SSL? Postfix SASL: http://www.postfix.org/SASL_README.html Postfix TLS: http://www.postfix.org/TLS_README.html These are organized in client and server sections, with examples. There is no need to repeat this information on the mailing list. Wietse
Re: smtp auth over ssl for smartrelay configuration
Victor Duchovni wrote, on 23-01-10 17:48: On Sat, Jan 23, 2010 at 05:31:47PM +0100, Jelle de Jong wrote: postconf -e 'smtp_tls_security_level = encrypt' Is this SMTP client going to send all mail to a small set of TLS enabled relay hosts? Or are you choosing to not be able to send any email to the vast majority of domains whose MX hosts don't offer TLS? The system is a satellite system that is only sending mail to one secure mail server, the mailrelay is only affable for smtp auth over ssl. the hostname of the sender will fail every sane check if it sent to other machines, because it has no fixed ip, and is behind a series of nat's. postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' Why disable both SSLv2 and TLSv1?! Leave this setting at its default value, or disable just SSLv2. Does your client or server correctly handle SSLv3, but fail to interoperate via TLSv1? Well my server supports SSLv3 just fine, so I thought I disable everything lower, and if better protocols come around postfix will update and will still be able to use the newer stuff since I did not force it to only use SSLv3. Hope that helps some people :) And does not mislead too many. A tutorial needs to not only provide working settings, but also explain the use-case to which they apply and why the settings are the right ones to the use-case at hand. All true, that sad the pointer I gave were not related to above and the documentation handles these points quite well. Best regards, Jelle
Re: smtp auth over ssl for smartrelay configuration
Jelle de Jong wrote: Victor Duchovni wrote, on 23-01-10 17:48: On Sat, Jan 23, 2010 at 05:31:47PM +0100, Jelle de Jong wrote: postconf -e 'smtp_tls_security_level = encrypt' Is this SMTP client going to send all mail to a small set of TLS enabled relay hosts? Or are you choosing to not be able to send any email to the vast majority of domains whose MX hosts don't offer TLS? The system is a satellite system that is only sending mail to one secure mail server, the mailrelay is only affable for smtp auth over ssl. the hostname of the sender will fail every sane check if it sent to other machines, because it has no fixed ip, and is behind a series of nat's. postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' Why disable both SSLv2 and TLSv1?! Leave this setting at its default value, or disable just SSLv2. Does your client or server correctly handle SSLv3, but fail to interoperate via TLSv1? Well my server supports SSLv3 just fine, so I thought I disable everything lower, and if better protocols come around postfix will update and will still be able to use the newer stuff since I did not force it to only use SSLv3. TLSv1 is newer stuff.
Re: smtp auth over ssl for smartrelay configuration
On Sat, Jan 23, 2010 at 05:59:37PM +0100, Jelle de Jong wrote: postconf -e 'smtp_tls_mandatory_protocols = !SSLv2, !TLSv1' Why disable both SSLv2 and TLSv1?! Leave this setting at its default value, or disable just SSLv2. Does your client or server correctly handle SSLv3, but fail to interoperate via TLSv1? Well my server supports SSLv3 just fine, so I thought I disable everything lower, and if better protocols come around postfix will update and will still be able to use the newer stuff since I did not force it to only use SSLv3. The default settings for advanced TLS features were chosen with care. It is unwise to change them unless you are a TLS expert. TLSv 1.0 is SSL 3.1. TLS 1.1 is SSL 3.2, ... There is no plan for TLSv2 at this time, but it would be SSL version 4. Don't change advanced TLS settings until you have read the relevant OpenSSL documentation and/or RFCs and in some cases the OpenSSL source code (sadly OpenSSL documentation is not as complete as the Postfix documentation). -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: mailto:majord...@postfix.org?body=unsubscribe%20postfix-users If my response solves your problem, the best way to thank me is to not send an it worked, thanks follow-up. If you must respond, please put It worked, thanks in the Subject so I can delete these quickly.
