Re: Submission port SSL issues

Tue, 13 Jan 2009 18:35:58 -0800 

On Tue, Jan 13, 2009 at 1:39 PM, Victor Duchovni
<victor.ducho...@morganstanley.com> wrote:
> On Tue, Jan 13, 2009 at 02:37:37PM -0600, Noel Jones wrote:
>
>> Neil wrote:
>> >Okay, how can I get SSL enabled/working then?
>>
>> Uncomment the "smtps" entries in your master.cf
>>
>> It should looks pretty much like this (beware line wrapping in
>> the mail):
>> smtps     inet  n       -       n       -       -       smtpd
>>   -o smtpd_tls_wrappermode=yes
>>   -o smtpd_sasl_auth_enable=yes
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>   -o milter_macro_daemon_name=ORIGINATING
>
> Note, the "SSL" service and (START)"TLS" service are mutually incompatible
> on any given port. If submission(587) does STARTTLS, it cannot do "SSL".
> If smtps(465) does "SSL" it cannot do STARTTLS. This is not a Postfix
> limitation it is a consequence of the design of the two SMTP with
> SSL/TLS protocols.  Either SMTP is inside TLS or TLS is inside SMTP,
> you can't have it both ways.
>

That makes sense.

I followed Noel's suggestion (top part of master.cf below), but I
still can't get it to work.  I remade my CA with a slightly different
(and slightly better, I think) set of commands, but it seems to have
made no difference as well.

I really have no idea where I'm going wrong nor how to find out...

master.cf:
---------------
smtp      inet  n       -       -       -       -       smtpd
submission inet n       -       -       -       -       smtpd
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
# ...

postconf -n
----------------
alias_database = hash:/etc/postfix/aliases
alias_maps = hash:/etc/postfix/aliases
config_directory = /etc/postfix
mailbox_command = /usr/lib/dovecot/deliver
mydestination = hermes.example.com, localhost.example.com, localhost
recipient_delimiter = +
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /etc/ssl/public/ca_cert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/public/hermes.pem
smtpd_tls_key_file = /etc/ssl/private/hermes.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache

Reply via email to