On 18 October 2011 14:17, Noel Jones <njo...@megan.vbhcs.org> wrote: > On 10/18/2011 12:04 PM, Simon Brereton wrote: >> On 13 October 2011 20:11, Noel Jones <njo...@megan.vbhcs.org> wrote: >>> The only place you should really care about encryption is if your >>> own clients submit SASL authenticated mail -- the far most common >>> auth mechanisms are PLAIN and LOGIN which really should be protected >>> inside a TLS connection. This is commonly controlled by using >>> "smtpd_tls_auth_only = yes", and if you use the recommended >>> submission port, setting '-o smtpd_enforce_tls=yes' on the >>> submission entry in master.cf. In these cases, if TLS isn't used or >>> doesn't work, the client can't transfer mail. >> >> >> Sorry to resurrect this - and gmail won't let me amend the subject. >> After reading this, I was concerned about my submission port >> settings.. I have: >> >> 10 submission inet n - n - - smtpd >> 11 -o smtpd_delay_reject=yes >> 12 -o receive_override_options=no_address_mappings >> 13 -o content_filter=dksign:[127.0.0.1]:10028 >> 14 -o smtpd_enforce_tls=yes >> 15 -o smtpd_sasl_auth_enable=yes >> 16 -o smtpd_client_restrictions=permit_sasl_authenticated,reject >> >> >> Is "smtpd_enforce_tls=yes" a suitable replacement/substitute for >> "smtpd_tls_auth_only = yes? > > They do different things; I expect most people use both. > > smtpd_enforce_tls is obsolete, instead use > -o smtpd_tls_security_level=encrypt > This setting will reject all mail from unencrypted connections. The > "encrypt" setting must not be used on a public-facing port 25, but > is widely used and recommended on the submission port. > > smtpd_tls_auth_only prevents postfix from offering or accepting the > AUTH command until after an encrypted session is started. It is > commonly used on both the submission port and on port 25. >
Thanks for the clarification. I'm using both without an issue (so far - I'm waiting for the one user - and there's always one) to tell me their client has stopped working. Cheers Simon
