Le 08/12/2010 18:13, Victor Duchovni a écrit :
On Wed, Dec 08, 2010 at 11:45:25AM -0500, Zhou, Yan wrote:
There are two ways to secure a protocol with SSL/TLS.
- Encapsulate the entire protocol in SSL/TLS. A "secure" port is
known for the SSL-encapsulated protocol, the client connects to
the secure port and immediately begins an SSL handshake, once
that completes, the client can send application protocol messages.
- Extend the application protocol with a "STARTTLS" verb, which
switches the communication channel from plaintext to SSL/TLS.
This runs on the normal application port, and the timing of the
SSL handshake is delayed until the client and server agree at
the application level to perform the necessary handshake.
The two approaches are fundamentally not interoperable, the
application protocol won't tolerate an unanounced CLIENT SSL HELLO and
the encapsulated protocol won't tolerate plaintext application messages.
I suppose Postfix supports both? But, even with tls_auth_only set to NO.
I cannot configure my mail client in its outgoing mail server to
"TLS/SSL". Connection fails.
Everything you need to know to answer this question is explained above
or follows directly from it. The only additional wrinkle is that some
ISPs block port 25.
Port 587 is reserved for MUA (Thunderbird) ... access to submission
services with STARTTLS.
Port 25 is for relaying between MTAs, and optionally for MUAs with
or without STARTTLS, but MUAs really should be using 587 instead.
Port 465 is a legacy SMTP encapsulated in SSL/TLS port, which uses the
first of the two scenarios I described. This is deprecated, SMTP clients
are supposed to use STARTTLS.
Some MUAs call SMTP over SSL/TLS "SSL", and call SMTP + STARTTLS "TLS",
this confusing terminology is unfortunate.
this is indeed the terminology on
- old thunderbird (just checked on a 2.0.0.6) and
- new outlook (just checked on outlook 2010).
newer Thunderbird (checked on 3.1.6) is better as it uses "STARTTLS" for
STARTTLS and "SSL/TLS" for wrapper mode (encapsulated protocol).
