Nice to see You here, Mouss! Thank You for Your time and answer, again:
> Instead of this, use the 3d option: "Use the STARTTLS command ..."
>
> STARTTLS is the standard method for doing SSL/TLS in ESMTP.
Ok. So I've done and here what I see:
. Client's part:
[14:59:19] SMTP< 220 The eMail Service
[14:59:19] ESMTP> EHLO localhost
[14:59:20] ESMTP< 250-myhost.org
[14:59:20] ESMTP< 250-PIPELINING
[14:59:20] ESMTP< 250-SIZE 30720000
[14:59:20] ESMTP< 250-VRFY
[14:59:20] ESMTP< 250-ETRN
[14:59:20] ESMTP< 250-AUTH PLAIN LOGIN
[14:59:20] ESMTP< 250-AUTH=PLAIN LOGIN
[14:59:20] ESMTP< 250-ENHANCEDSTATUSCODES
[14:59:20] ESMTP< 250-8BITMIME
[14:59:20] ESMTP< 250 DSN
[14:59:20] ESMTP> STARTTLS
[14:59:21] ESMTP< 502 5.5.1 Error: command not implemented
** error occurred on SMTP session
*** Error occurred while sending the message:
502 5.5.1 Error: command not implemented
The same I get when I check "Use not blocking SSL".
. Server's side (/var/log/mail.log):
myhost postfix/smtpd[30187]: connect from
unknown[2.3.4.5]
myhost postfix/smtpd[30187]: lost connection after STARTTLS from
unknown[2.3.4.5]
myhost postfix/smtpd[30187]: disconnect from unknown[2.3.4.5]
The same I get when I check "Use not blocking SSL".
> the option you tried to select means using old smtp inside a
> pre-established SSL session ("wrapper mode SSL") and is not a
> standard. it is needed by some non standard compliant mail software
> (mostly in the MS world, although outlook 2007 has been reported to
> support STARTTLS)
>
> > then it gives me error on connection. Interesting that I see no any
> > error in /var/log/mail.log, so I suppose may I have to open other
> > port in my firewall, for now I opened 25 and 465.
> >
>
> by default, smtps is disabled in master.cf. you can enable it if you
> want to support non-compliant mailers (mostly outlook prior to 2007).
No, I do not want to support not standard stuff! If it is not correct,
I better tune up my server for the correct one.
And therefore, no need to allow port 465, correct? - Therefore I can
safely close it?
Also, as I see, it is impossible to protect postfix from password
finding fit a login by reducing connections per some period by
iptables - as in both cases - to get email from another email server
and send our email through our own server - we use the same port - 25
- for sever users authorizing and getting new mail from other servers,
is it? If so, then how to protect the server from password
finding fit a login to postfix?
Thank You, for You precious to me answers!
