> Just a point of clarification... port 465 isn't "deprecated" because it was > never formerly assigned by IANA. > > It was highjacked by some mailer (I forget which) and when 587 was assigned, > it was agreed to stop using the former port. > > As for one of your questions, it's assumed that 465 comes up with SSL turned > on by default, and that it doesn't come up in the clear with STARTTLS turning > TLS on. > > And "plain" sends the password in the clear, but "login" sends it hashed. > I.e. you need:
I'm OK to send the password "in the clear" since the entire connection is encrypted from STARTTLS, correct? > pwcheck_method: saslauthd > mech_list: plain login > > in your /etc/sasl2/smtp.conf file... or you can change "mech_list" to only > "login", or even "digest-md5" and "cram-md5" (as we do here) with TB using > "Encrypted password" as the authentication type. You found a typo in my /etc/sasl2/smtpd.conf which I've corrected and I no longer get the "Bad sequence of commands 503 5.5.1 Error: authentication not enabled" error from Squirrelmail when I specify port 25, but Squirrelmail still won't send mail over 25 or 587. - Grant >> I've been using smtps on port 465 for sending mail but I read it's >> deprecated so I'm trying to switch to submission port 587. >> >> With 465 I was using the "Connection security: SSL/TLS" setting in >> Thunderbird, but after switching to 587 I can't send mail unless I >> change it to STARTTLS. Can anyone explain this? Should I be using >> STARTTLS instead of SSL/TLS for courier 993? >> >> Whether using 465 or 587, I noticed I can't log in to send mail from >> my mail clients unless the password is sent unencrypted. Is that OK >> since I'm using STARTTLS or should I also enable encryption of the >> password? >> >> Previously in master.cf I was running smtps like this: >> >> smtps inet n - n - - smtpd >> -o smtpd_tls_wrappermode=yes >> # -o smtpd_sasl_auth_enable=yes >> # -o smtpd_client_restrictions=permit_sasl_authenticated,reject >> # -o milter_macro_daemon_name=ORIGINATING >> >> Should I enable all of this for submission: >> >> submission inet n - n - - smtpd >> -o smtpd_tls_security_level=encrypt >> -o smtpd_sasl_auth_enable=yes >> -o smtpd_client_restrictions=permit_sasl_authenticated,reject >> -o milter_macro_daemon_name=ORIGINATING >> >> I don't think I need milter_macro_daemon_name since I'm not using a >> mail filter. I am running saslauthd but it looks like I didn't have >> it enabled for smtps previously. I'm surprised because I thought I >> required authentication in order to use smtps. >> >> Here is most of the non-default stuff from main.cf: >> >> smtpd_sasl_auth_enable = yes >> smtpd_sasl2_auth_enable = yes >> smtpd_sasl_security_options = noanonymous >> smtpd_sasl_local_domain = >> >> smtpd_recipient_restrictions = >> permit_sasl_authenticated, >> permit_mynetworks, >> reject_unauth_destination, >> permit >> >> postscreen_greet_action = enforce >> postscreen_pipelining_enable = yes >> postscreen_pipelining_action = enforce >> postscreen_non_smtp_command_enable = yes >> postscreen_non_smtp_command_action = enforce >> postscreen_bare_newline_enable = yes >> postscreen_bare_newline_action = enforce >> >> smtpd_tls_security_level = may >> smtpd_tls_auth_only = yes >> >> Thanks to anyone who can help me out with this or point out any >> deficiencies/stupidities in my config. >> >> - Grant
