On 10/28/2010 6:26 PM, Kory Hamzeh wrote:
3. I have TLS working with name/pass auth, on port 587 if the client UNCHECKS "Use SSL". For some reason that I don't understand, if the client has "Use SSL" enabled, it disconnects the TCP connection as soon as a SSL
In the context of most mail clients, SSL refers to (deprecated) wrappermode TLS, typically on port 465.
My main question at this point: is my SASL and TLS setup secure (encrypted) with my current configuration below?
Oct 27 16:22:30 ns postfix/smtpd[15850]: Anonymous TLS connection established from 108.sub-97-48-178.myvzw.com[97.48.178.108]: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
The above line shows a TLS session correctly established (this line is also logged at smtpd_tls_loglevel = 1). This connection is secure. Typically one would use "-o smtpd_tls_security_level=enforce" on the submission port 587 in master.cf to require a secure connection on that port.
I've found it also generally useful to go ahead and enable smtps wrappermode SSL on port 465 for folks who mistakenly configure their client that way, or for folks with antique software that doesn't properly support STARTTLS.
STARTTLS and wrappermode are equally secure and I think the goal is to cause your customers/clients/coworkers no more grief than necessary.
Failed log entry, same as before but SSL enabled on the phone (client):
The phone connects to the port, but the phone is expecting a TLS handshake rather than an SMTP conversation, so the session is never established.
-- Noel Jones
