On Wed, Dec 08, 2010 at 11:45:25AM -0500, Zhou, Yan wrote:
> > There are two ways to secure a protocol with SSL/TLS.
> >
> > - Encapsulate the entire protocol in SSL/TLS. A "secure" port is
> > known for the SSL-encapsulated protocol, the client connects to
> > the secure port and immediately begins an SSL handshake, once
> > that completes, the client can send application protocol messages.
> >
> > - Extend the application protocol with a "STARTTLS" verb, which
> > switches the communication channel from plaintext to SSL/TLS.
> > This runs on the normal application port, and the timing of the
> > SSL handshake is delayed until the client and server agree at
> > the application level to perform the necessary handshake.
> >
> > The two approaches are fundamentally not interoperable, the
> > application protocol won't tolerate an unanounced CLIENT SSL HELLO and
> > the encapsulated protocol won't tolerate plaintext application messages.
>
> I suppose Postfix supports both? But, even with tls_auth_only set to NO.
> I cannot configure my mail client in its outgoing mail server to
> "TLS/SSL". Connection fails.
Everything you need to know to answer this question is explained above
or follows directly from it. The only additional wrinkle is that some
ISPs block port 25.
Port 587 is reserved for MUA (Thunderbird) ... access to submission
services with STARTTLS.
Port 25 is for relaying between MTAs, and optionally for MUAs with
or without STARTTLS, but MUAs really should be using 587 instead.
Port 465 is a legacy SMTP encapsulated in SSL/TLS port, which uses the
first of the two scenarios I described. This is deprecated, SMTP clients
are supposed to use STARTTLS.
Some MUAs call SMTP over SSL/TLS "SSL", and call SMTP + STARTTLS "TLS",
this confusing terminology is unfortunate.
--
Viktor.
