Re: Switching to 587 submission

Wed, 07 Dec 2011 18:14:18 -0800 

On 12/07/2011 07:49 PM, Grant wrote:

I've been using smtps on port 465 for sending mail but I read it's
deprecated so I'm trying to switch to submission port 587.

With 465 I was using the "Connection security: SSL/TLS" setting in
Thunderbird, but after switching to 587 I can't send mail unless I
change it to STARTTLS.  Can anyone explain this?  Should I be using
STARTTLS instead of SSL/TLS for courier 993?
All of the "secure connection" types are rather loosely defined in mail clients. The dovecot wiki has a decent, although still (necessarily) confusing explanation: 

  http://wiki2.dovecot.org/SSL
In Thunderbird's case, "STARTTLS" means "connect first, and then negotiate TLS via the STARTTLS command," which is now the way to do things even if you're going to require everyone to use TLS. 



Whether using 465 or 587, I noticed I can't log in to send mail from
my mail clients unless the password is sent unencrypted.  Is that OK
since I'm using STARTTLS or should I also enable encryption of the
password?


That's fine, the entire connection is encrypted.



Previously in master.cf I was running smtps like this:

smtps     inet  n       -       n       -       -       smtpd
   -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING

Should I enable all of this for submission:

submission inet n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING

I don't think I need milter_macro_daemon_name since I'm not using a
mail filter.  I am running saslauthd but it looks like I didn't have
it enabled for smtps previously.  I'm surprised because I thought I
required authentication in order to use smtps.
You've probably got permit_mynetworks near the top of your smtpd_foo_restrictions, which are inherited by default. The "-o smtpd_client_restrictions" line would have overridden that (if it was a client restriction) and forced your users to authenticate.
The same thing would work for the submission port after the switch, but you should first check that your SASL is really working since it wasn't being exercised.

Reply via email to