On Sun, Aug 15, 2021 at 07:06:06AM +0800, Lauren R <m...@lanren.us> wrote:
> On 2021/8/15 7:04 上午, raf wrote: > > So "smtps" is dead. Long live "submissions". > > > > But it isn't for server-to-server use. > > so for server to server use, we should deploy starttls on port 25? > > thanks > Lauren Yes. Once you have TLS set up, Postfix will offer STARTTLS to clients that use the EHLO command on port 25. See here for details: http://www.postfix.org/TLS_README.html There might be a default self-signed snakeoil certificate already on your system that you can use (e.g. on Debian), or you can get a LetsEncrypt certificate: https://upcloud.com/community/tutorials/secure-postfix-using-lets-encrypt But note that their advice refers to the old, no longer recommended separate smtpd_tls_key_file and smtpd_tls_cert_file settings, not the nice new safer smtpd_tls_chain_files setting. But to use that, you would need to automate the construction of a single file containing LetsEncrypt's privkey and fullchain files every time the certificate is automatically renewed. That can be done with a certbot renewal deploy hook. Once Postfix is offering STARTTLS, you won't get every incoming email arriving over TLS, but you'll probably find that every sending mail server that can do STARTTLS will do it. And the more people who setup TLS for their mail servers, the better it gets. I recommend using a CA-approved certificate like LetsEncrypt just because Postfix will use the same certificate for submissions on port 587, and mail clients (like Thunderbird) might complain if a self-signed certificate is used in that context. Another thing to note is that, if you are supporting mail submission by users on port 587, you shouldn't enable SASL authentication in main.cf, because that will make Postfix offer authentication even on port 25. You don't need that. Instead, override smtpd_sasl_auth_enable in master.cf where the submission service is defined. Then it will only be offered on port 587 where it belongs. http://www.postfix.org/SASL_README.html cheers, raf
