> -----Original Message----- > From: owner-postfix-us...@postfix.org [mailto:owner-postfix- > us...@postfix.org] On Behalf Of Victor Duchovni > Sent: Wednesday, December 08, 2010 11:29 AM > To: postfix-users@postfix.org > Subject: Re: tls/ssl or starttls, why different port#? > > On Wed, Dec 08, 2010 at 11:03:10AM -0500, Zhou, Yan wrote: > > > Why is that? Which one should I use: starttls or tls/ssl for secure > > connections? > > There are two ways to secure a protocol with SSL/TLS. > > - Encapsulate the entire protocol in SSL/TLS. A "secure" port is > known for the SSL-encapsulated protocol, the client connects to > the secure port and immediately begins an SSL handshake, once > that completes, the client can send application protocol messages. > > - Extend the application protocol with a "STARTTLS" verb, which > switches the communication channel from plaintext to SSL/TLS. > This runs on the normal application port, and the timing of the > SSL handshake is delayed until the client and server agree at > the application level to perform the necessary handshake. > > The two approaches are fundamentally not interoperable, the application > protocol won't tolerate an unanounced CLIENT SSL HELLO and the > encapsulated protocol won't tolerate plaintext application messages. > > -- > Viktor.
I suppose Postfix supports both? But, even with tls_auth_only set to NO. I cannot configure my mail client in its outgoing mail server to "TLS/SSL". Connection fails. But if I switch to have the mail client use "STARTTLS", then it is fine. Why is that? For SMTP authentication in Postfix, I am using DoveCot, here is related entries in main.cf smtpd_sasl_type = dovecot smtpd_sasl_path = /var/spool/postfix/private/auth smtpd_sasl_auth_enable = yes smtpd_tls_security_level = encrypt smtpd_tls_auth_only = no Thanks, Yan Confidentiality Notice: The information contained in this electronic transmission is confidential and may be legally privileged. It is intended only for the addressee(s) named above. If you are not an intended recipient, be aware that any disclosure, copying, distribution or use of the information contained in this transmission is prohibited and may be unlawful. If you have received this transmission in error, please notify us by telephone (513) 229-5500 or by email (postmas...@medplus.com). After replying, please erase it from your computer system.
