On 11-01-06 12:25 AM, Victor Duchovni wrote:
On Wed, Jan 05, 2011 at 11:49:07PM -0500, brian wrote:
I know I'm in over my head here. Not only am I unsure how to test this, I'm
also having trouble interpreting the results I do get.
--------------------------------------------
That's mostly it.
Almost entirely it, I'm sure. Not that I want to assume anything, of course.
I noticed it doesn't mention STARTTLS. This is because I didn't pass
-starttls to s_client?
No, this is because after TLS is established, the encrypted EHLO
handshake does not offer STARTTLS, since TLS is already on,
Ah,I was thinking the encrypted conversation began after EHLO. But that
wouldn't make much sense.
and what's more, you're using smtps, so you're NOT using STARTTLS.
You see how confused I'm getting? Believe me, it's not for disregarding
the mountains of information in the docs and online. The problem is that
there are several layers involved here, and a multitude of choices for
each. I'm confused enough that it's difficult to determine what layer
I'm dealing with at a time.
If your client wants to use STARTTLS on 587, rather than SSL wrapper
mode (smtps) on 465, then configure and test that.
OK, I uncommented the line beginning with "submission" in master.cf,
relaoded, and checked with netstat that postfix was listening to port 587.
For posterity:
Using thunderbird, I configured the outgoing server port to 587,
"connection security" as STARTTLS, and left "use secure authentication"
unchecked. When I tried to send an email, an alert came up warning me
about my lame self-signed cert. After confirming the exception, I got
another alert saying delivery had failed. Stupidly, I hit OK before
reading it (I'm tired, and I've seen a lot of alerts this evening).
Obviously, it couldn't have been a connection failure, though.
However, when I tried again, I got a password prompt. Then the message
was delivered.
Thanks, Victor! Now, to make sure the rest of my config makes sense.
