On 13 October 2011 20:11, Noel Jones <njo...@megan.vbhcs.org> wrote: > The only place you should really care about encryption is if your > own clients submit SASL authenticated mail -- the far most common > auth mechanisms are PLAIN and LOGIN which really should be protected > inside a TLS connection. This is commonly controlled by using > "smtpd_tls_auth_only = yes", and if you use the recommended > submission port, setting '-o smtpd_enforce_tls=yes' on the > submission entry in master.cf. In these cases, if TLS isn't used or > doesn't work, the client can't transfer mail.
Sorry to resurrect this - and gmail won't let me amend the subject. After reading this, I was concerned about my submission port settings.. I have: 10 submission inet n - n - - smtpd 11 -o smtpd_delay_reject=yes 12 -o receive_override_options=no_address_mappings 13 -o content_filter=dksign:[127.0.0.1]:10028 14 -o smtpd_enforce_tls=yes 15 -o smtpd_sasl_auth_enable=yes 16 -o smtpd_client_restrictions=permit_sasl_authenticated,reject Is "smtpd_enforce_tls=yes" a suitable replacement/substitute for "smtpd_tls_auth_only = yes? The TLS readme only talks about smtpd_tls_auth_only (and warns against it) for server-server connections. Simon
