Jesse Kretschmer wrote:
Ralf Hildebrandt wrote:
smtp inet n - n - - smtpd
smtps inet n - n - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
THIS could be the problem.
This would cause the reject as you see it in the log :)
I've been reading the docs. I am not sure what the correct solution is,
but I see a directive: permit_tls_clientcerts. I suspect that I should
be adding this to the master.cf to allow these tls connections. I'll
report back if I find a working solution.
The "smtps" service is for your own mail clients to use. This
is a deprecated method of encryption sometimes called SSL (not
to be confused with HTTPS/SSL) in some mail clients. Clients
that don't authenticate via SASL should be rejected.
Typically only "older" MUAs and some Microsoft products need
the smtps service. Most modern clients use STARTTLS on the
"submission" service.
Just turn it off (comment it out) if you don't need it.
The permit_tls_clientcerts function is probably not what you
want. The typical use case is MTA to MTA authenticated
relaying since few end-user mail programs support certificate
based authentication.
If you can explain what you mean by "allow these tls
connections" we can give more pointers.
-- Noel Jones
