On 10/13/2011 9:24 PM, Peter wrote: > from postconf(5) for smtpd_tls_security_level=encrypt: > >> Mandatory TLS encryption: announce STARTTLS support to SMTP >> clients, and require that clients use TLS encryption. According to >> RFC 2487 this MUST NOT be applied in case of a publicly-referenced >> SMTP server. Instead, this option should be used only on dedicated >> servers. > > Most of this is very clear, but the term "dedicated servers" in the last > sentence is very confusing, in fact I'm left wondering what having a > dedicated server has to to with TLS at all. Can you clarify this last > sentence and possibly find a better term for the documentation?
I'll attempt to translate for you. On the public internet you can't force remote SMTP servers to use encryption when connecting to your server, because very few, if any, public SMTP servers implement outbound encryption in this way. Most send in plain text, and always have. For instance, what I'm typing right now will arrive at the Postfix list server. My Postfix smtp server doesn't support transmitting outbound mail with encryption (yours probably doesn't either). If the list server did require encryption I wouldn't be able to send my reply. This is what RFC 2487 is getting at here. What "dedicated servers" means in this context are SMTPD servers within an organization dedicated to a specific task, in this case almost always relay submission. These are the SMTPD servers that accept relay mail from your users' MUAs, such as Thunderbird and Outlook Express. Such clients all support outbound encryption. If you've ever used an ISP mail account and setup your "outbound SMTP server settings" then you should understand encryption in this context. Configuring the 'submission' service or '587' service in your Postfix master.cf would create the "dedicated server" mentioned above. Hope this helps clear things up a bit for you. -- Stan
