On Mon, Aug 11, 2014 at 06:25:50PM -0400, Alex wrote:
> > Yes, though if you make SSL/TLS mandatory (via smtp_tls_policy_maps
> > and the "encrypt" or "secure" levels) then some weaker ciphers are
> > excluded by default.
>
> Okay, just to be sure I understand this correctly, I need to still
> configure my server to be both an smtps server as well as a client to an
> smtps server so it can transport the message from the user's client to my
> server, then to the remote system, correct?
Let's talk about one thing at a time. What problem is your user
reporting?
* An inability to use your server as a submission server, that is,
to use an MUA like Outlook with your server as its SMTP server?
Or
* An inability to route mail to some remote system via your server?
Your initial post seemed to suggest the latter, but now you're
taling changing settings when receiving mail, why?
> Is trying STARTTLS then plaintext the proper way to do it, or am I missing
> something?
One thing at a time.
> > > smtp_use_tls = yes
> >
> > Set "smtp_tls_security_level = may" instead.
>
> I have that as well. Should I just comment out smtp_use_tls?
If you really had it in place, it would have been reported by
"postconf -n". Did you not report all the settings? Or are you
confusing "smtpd_tls_security_level" with "smtp_tls_security_level"?
> > Finally, you've posted no logs, leaving everyone on this list blind
> > to the actual problem. If you want help post logs that detail the
> > problem you're having.
>
> I'm not sure I'm explaining myself properly. The issue is that we have a
> client, which I assume would be Outlook, that would like to connect to my
> postfix server to send a remote system an encrypted email that only
> supports SSL.
Which thing only supports SSL, the Outlook client, or the remote
system?
> This is why I described above that I thought I would need to set up smtps
> on my system, then somehow configure my system to try SSL after the default
> TLS, which isn't supported on the remote system.
You sure seem to be confused about the roles of the input and output
sides of an MTA. Mail comes in, is queued on disk, and then goes
out. The input settings (receiving mail) are separate and independent
of the output settings (sending mail).
To support Outlook as an SSL/TLS submission client, you need to
setup the smtps (input) wrapper-mode service as described in
TLS_README. Outlook indeed does not support "TLS" (that is
STARTTLS) and only supports SSL encapsulated SMTP on port 465.
--
Viktor.
