On Tue, Mar 23, 2010 at 02:23:30PM -0400, Carlos Mennens wrote:
> In my Postfix main.cf, I have the following TLS parameters:
>
> smtpd_use_tls = yes #announce STARTTLS support to SMTP clients, but do
This is the Postfix 2.2 syntax. With 2.3 and later, use:
smtpd_tls_security_level = may
Note, Postfix does not support comments and configuration settings on
the same line.
Good:
# Comment
param = value
param =
# comment
value1
# comment
value2
Bad:
param = value # comment
> smtpd_tls_loglevel = 1 #loglevel
> smtpd_tls_cert_file = /etc/ssl/certs/mail.crt # Cert file
> smtpd_tls_key_file = /etc/ssl/private/mail.key # Key file
See above
> smtpd_tls_security_level = may # ?
Use this instead of "smtpd_use_tls".
> smtpd_tls_auth_only = yes # ?
Disable SASL authentication for un-encrypted connections.
> My confusion is the bottom two parameters. I know that if I change
> 'may' to 'encrypt' in 'smtpd_tls_security_level', I then am forcing
> all clients to require TLS connection to Postfix. This is understood
> but then I see 'smtpd_tls_auth_only', I get confused because it seems
> redundant to me with 'smtpd_use_tls'.
Don't confuse SASL authentication (username/password typicall to verify
submission access rights) with session encryption (prevent passive
wiretap of session).
SASL and SSL are not the same thing.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
