Postfix wrote, at 06/16/2009 11:23 PM: > Hi, > I am trying to setup SSL connections. > > I have it setup as the instructions say: > > smtpd_tls_CAfile = /etc/postfix/sslbundle.crt > smtpd_tls_cert_file = /etc/postfix/server.crt > smtpd_tls_key_file = /etc/postfix/server.key > smtpd_tls_received_header = yes > smtpd_tls_session_cache_database = > btree:/var/lib/postfix/smtpd_tls_session_cache > tls_random_source = dev:/dev/urandom > smtpd_tls_security_level = may > smtpd_use_tls = yes > smtpd_tls_auth_only = yes > smtpd_tls_loglevel = 3 > > If I telnet I get: > 250-PIPELINING > 250-SIZE 10240000 > 250-VRFY > 250-ETRN > 250-STARTTLS > 250-ENHANCEDSTATUSCODES > 250-8BITMIME > 250 DSN > > showing STARTTLS is in there. > > But when I setup my email client to use ssl for outgoing, I just get an > error.
You left out the important part: What is the error? > If I add > -o smtpd_tls_wrappermode=yes > To the master.cf file for smtp, then it works, but the server will not > receive any incoming mail since it is trying to use ssl. Undo that change. You shouldn't need to tweak the settings for smtp in master.cf. As you've discovered, this doesn't really "work". > The only way I can make it work is to setup the master.cf file with the > smtps file for port 465 with the -o smtpd_tls_wrappermode=yes (as the > default master.cf file has) and change my email client to use ssl with > port 465 as the outgoing server. Okay, your client understands smtps and isn't complaining about the certificates. That's a potentially good sign. What client are you using? Have you tried another? > Then I can receive email normally and use ssl to send out the email from > the client. This is hopeful. It indicates that at least some of your settings are correct. > Is this the normal way? I can't use port 25 for optional ssl > connections? (as in users trying to send mail use ssl, but incoming mail > from other servers don't have to use ssl) STARTTLS on port 25 is conventional, submission using STARTTLS on port 587 is preferable, and smtps (wrapper mode) on port 465 is deprecated and should only be enabled if you need to support legacy clients. We need to see the relevant lines from your server's maillog, the output of postconf -n, and more precise details about your client configuration and error messages. Try not to reveal your login credentials, which may be only trivially disguised. Also be aware that antivirus programs and firewalls can break encrypted connections to mail servers. You may need to disable them while you are troubleshooting and find workarounds if they are the source of the problem.
