|Main Archive Page > Month Archives > postfix-users archives|
On 10/28/2010 6:26 PM, Kory Hamzeh wrote:
> 3. I have TLS working with name/pass auth, on port 587 if the client
> UNCHECKS "Use SSL". For some reason that I don't understand, if the client
> has "Use SSL" enabled, it disconnects the TCP connection as soon as a SSL
In the context of most mail clients, SSL refers to
(deprecated) wrappermode TLS, typically on port 465.
> My main question at this point: is my SASL and TLS setup secure (encrypted)
> with my current configuration below?
> Oct 27 16:22:30 ns postfix/smtpd: Anonymous TLS connection
> established from 108.sub-97-48-178.myvzw.com[126.96.36.199]: TLSv1 with
> cipher DHE-RSA-AES256-SHA (256/256 bits)
The above line shows a TLS session correctly established (this
line is also logged at smtpd_tls_loglevel = 1). This
connection is secure. Typically one would use "-o
smtpd_tls_security_level=enforce" on the submission port 587
in master.cf to require a secure connection on that port.
I've found it also generally useful to go ahead and enable
smtps wrappermode SSL on port 465 for folks who mistakenly
configure their client that way, or for folks with antique
software that doesn't properly support STARTTLS.
STARTTLS and wrappermode are equally secure and I think the
goal is to cause your customers/clients/coworkers no more
grief than necessary.
> Failed log entry, same as before but SSL enabled on the phone (client):
The phone connects to the port, but the phone is expecting a
TLS handshake rather than an SMTP conversation, so the session
is never established.
-- Noel Jones