On Tue, Nov 02, 2010 at 10:27:07AM -0400, Zhou, Yan wrote: > I have two Postfix instances, I wish to set up > 1. one with SSL so that clients can connect and send messages to it, > WITHOUT authentication but the session is secure, this requires Postfix > with TLS support. > 2. the other with SASL2 support so that clients will need > authentication, but the user database is set up on LDAP.
These requirements are not incompatible. A *single* Postfix instance can: - Support STARTTLS, and even attempt to enforce it for some clients via access tables that trigger "reject_plaintext_session". - Support SASL auth, and require it for sending outbound email or in general. For submission, the recommended approach is to have submission clients use a port 587 service that enforces both TLS and SASL auth. > 3. I also wish to use DoveCot to get messages from the 2nd Postfix, > DoveCot require SMTP authentication, too. Dovecot requires SASL (not SMTP) authentication, and in fact can act as a SASL back-end for the Postfix SMTP server. See http://www.postfix.org/SASL_README.html > > Questions: > 1. can one Postfix server with multiple IPs serving both needs? I know > Postfix can route messages differently based on IP, but not sure whether > it can support different authentication mechanism on one instance. - You don't need multiple IPs. Just a suitable access policy - TLS is not an authentication mechanism, unless you are one of the few and the brave using client certs (don't on a port 25 service, but some submission port 587 servers request/require client certs). > 2. How do I know my pre-installed Postfix 2.3.3 already has TLS support > built-in or not? I read that this may require a recompilation with TLS > flag enabled. Try: postconf smtpd_tls_cert_file if an error is returned, you need to recompile. Postfix 2.3 is very old an no longer supported/updated, you really should be using 2.4 or later, ideally 2.7.1 if you plan to upgrade. > 3. How do I know pre-installed DoveCot already has LDAP support > built-in, or does it require a recompilation? This is the Postfix list. -- Viktor.