postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: Need help with SALS and TLS

Re: Need help with SALS and TLS

From: Noel Jones <njones_at_nospam>
Date: Fri Oct 29 2010 - 11:58:45 GMT
To: postfix-users@postfix.org

On 10/28/2010 6:26 PM, Kory Hamzeh wrote:
> 3. I have TLS working with name/pass auth, on port 587 if the client
> UNCHECKS "Use SSL". For some reason that I don't understand, if the client
> has "Use SSL" enabled, it disconnects the TCP connection as soon as a SSL

In the context of most mail clients, SSL refers to
(deprecated) wrappermode TLS, typically on port 465.

> My main question at this point: is my SASL and TLS setup secure (encrypted)
> with my current configuration below?

> Oct 27 16:22:30 ns postfix/smtpd[15850]: Anonymous TLS connection
> established from 108.sub-97-48-178.myvzw.com[97.48.178.108]: TLSv1 with
> cipher DHE-RSA-AES256-SHA (256/256 bits)

The above line shows a TLS session correctly established (this
line is also logged at smtpd_tls_loglevel = 1). This
connection is secure. Typically one would use "-o
smtpd_tls_security_level=enforce" on the submission port 587
in master.cf to require a secure connection on that port.

I've found it also generally useful to go ahead and enable
smtps wrappermode SSL on port 465 for folks who mistakenly
configure their client that way, or for folks with antique
software that doesn't properly support STARTTLS.

STARTTLS and wrappermode are equally secure and I think the
goal is to cause your customers/clients/coworkers no more
grief than necessary.

> Failed log entry, same as before but SSL enabled on the phone (client):
>

The phone connects to the port, but the phone is expecting a
TLS handshake rather than an SMTP conversation, so the session
is never established.

   -- Noel Jones