On Tue, Nov 02, 2010 at 10:27:07AM -0400, Zhou, Yan wrote:

> I have two Postfix instances, I wish to set up 
> 1. one with SSL so that clients can connect and send messages to it,
> WITHOUT authentication but the session is secure, this requires Postfix
> with TLS support.
> 2. the other with SASL2 support so that clients will need
> authentication, but the user database is set up on LDAP. 

These requirements are not incompatible. A *single* Postfix instance
can:

    - Support STARTTLS, and even attempt to enforce it for some
      clients via access tables that trigger "reject_plaintext_session".

    - Support SASL auth, and require it for sending outbound email or
      in general. For submission, the recommended approach is to have
      submission clients use a port 587 service that enforces both
      TLS and SASL auth.

> 3. I also wish to use DoveCot to get messages from the 2nd Postfix,
> DoveCot require SMTP authentication, too. 

    Dovecot requires SASL (not SMTP) authentication, and in fact
    can act as a SASL back-end for the Postfix SMTP server. See

        http://www.postfix.org/SASL_README.html

> 
> Questions:
> 1. can one Postfix server with multiple IPs serving both needs? I know
> Postfix can route messages differently based on IP, but not sure whether
> it can support different authentication mechanism on one instance. 

    - You don't need multiple IPs. Just a suitable access policy

    - TLS is not an authentication mechanism, unless you are one of the
      few and the brave using client certs (don't on a port 25 service,
      but some submission port 587 servers request/require client certs).

> 2. How do I know my pre-installed Postfix 2.3.3 already has TLS support
> built-in or not?  I read that this may require a recompilation with TLS
> flag enabled.

Try:

        postconf smtpd_tls_cert_file

if an error is returned, you need to recompile. Postfix 2.3 is very
old an no longer supported/updated, you really should be using 2.4
or later, ideally 2.7.1 if you plan to upgrade.

> 3. How do I know pre-installed DoveCot already has LDAP support
> built-in, or does it require a recompilation?

This is the Postfix list.

-- 
        Viktor.

Reply via email to