[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: Need help with SALS and TLS
From:       Noel Jones <njones () megan ! vbhcs ! org>
Date:       2010-10-29 11:58:45
Message-ID: 4CCAB6F5.2020708 () megan ! vbhcs ! org
[Download RAW message or body]

On 10/28/2010 6:26 PM, Kory Hamzeh wrote:
> 3. I have TLS working with name/pass auth, on port 587 if the client
> UNCHECKS "Use SSL". For some reason that I don't understand, if the client
> has "Use SSL" enabled, it disconnects the TCP connection as soon as a SSL

In the context of most mail clients, SSL refers to 
(deprecated) wrappermode TLS, typically on port 465.

> My main question at this point: is my SASL and TLS setup secure (encrypted)
> with my current configuration below?


> Oct 27 16:22:30 ns postfix/smtpd[15850]: Anonymous TLS connection
> established from 108.sub-97-48-178.myvzw.com[97.48.178.108]: TLSv1 with
> cipher DHE-RSA-AES256-SHA (256/256 bits)

The above line shows a TLS session correctly established (this 
line is also logged at smtpd_tls_loglevel = 1).  This 
connection is secure.  Typically one would use "-o 
smtpd_tls_security_level=enforce" on the submission port 587 
in master.cf to require a secure connection on that port.

I've found it also generally useful to go ahead and enable 
smtps wrappermode SSL on port 465 for folks who mistakenly 
configure their client that way, or for folks with antique 
software that doesn't properly support STARTTLS.

STARTTLS and wrappermode are equally secure and I think the 
goal is to cause your customers/clients/coworkers no more 
grief than necessary.

> Failed log entry, same as before but SSL enabled on the phone (client):
>

The phone connects to the port, but the phone is expecting a 
TLS handshake rather than an SMTP conversation, so the session 
is never established.


   -- Noel Jones
[prev in list] [next in list] [prev in thread] [next in thread]