Re: Server to Server TLS encryption?
Am 18.08.2013 07:32, schrieb Theodotos Andreou: > I went through the TLS Readme but I couldn't find a clear answer to the > following question: surely since postfix in this case is the *xclient* here you go http://www.postfix.org/TLS_README.html#client_tls > Can you configure postfix in a way that it connects using TLS to another SMTP > server, if TLS is available on the > other side? For example if the destination server supports TLS then postfix > opens a TLS connection to it. cat /etc/postfix/main.cf | grep smtp_ | grep tls smtp_use_tls= yes smtp_tls_loglevel = 1 smtp_tls_cert_file = /etc/postfix/certs/localhost.pem smtp_tls_key_file = /etc/postfix/certs/localhost.pem smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt smtp_tls_security_level = may smtp_tls_note_starttls_offer= yes smtp_tls_session_cache_timeout = 3600s smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtp_tls_exclude_ciphers= DES-CBC3-SHA > Further more can this be done even if you have a self-signed certificate on > the destination? yes
Re: Server to Server TLS encryption?
On 08/18/2013 07:44 PM, li...@rhsoft.net wrote: > smtp_use_tls= yes Don't use this, it's obsolete and replaced by ... > smtp_tls_security_level = may ... this. Peter
Re: Server to Server TLS encryption?
On Sun, Aug 18, 2013 at 09:44:05AM +0200, li...@rhsoft.net wrote:
Better (leaving default values out):
scache = btree:${data_directory}/
smtp_tls_session_cache_database = ${scache}smtp_scache
smtp_tls_loglevel = 1
smtp_tls_security_level = may
With the security level set to "may", there is little reason to
bother with a CAfile, delivery proceeds even without a verified
peer certificate, and often with an anonymous cipher-suite.
Client certificates are rarely relevant with SMTP.
--
Viktor.
Re: Server to Server TLS encryption?
My understanding is that this happens automatically during the negotiation phase if the remote server advertises TLS. At least this is what I thought happened during a recent test. And I was certainly using self-signed certificates. Actually very nice things begin to happen when TLS is enabled. See your friendly Postfix logs! Note the opening sentence on the TLS README: "Transport Layer Security (TLS, formerly called SSL) provides certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication." Clearly says about SMTP sessions. This happens for 2.3+ Andreas On 18-08-2013 08:32, Theodotos Andreou wrote: > Hi guys, > > I went through the TLS Readme but I couldn't find a clear answer to the > following question: > > Can you configure postfix in a way that it connects using TLS to another > SMTP server, if TLS is available on the other side? For example if the > destination server supports TLS then postfix opens a TLS connection to it. > > Further more can this be done even if you have a self-signed certificate > on the destination? > > Thanks
Re: Server to Server TLS encryption?
This is my understanding as well. This can be seen in the message source if it has been sent from a server with TLS enabled to another server with TLS. It looks something like this i believe: Received: from mail.example.com (mail.example.com [xxx.xxx.xxx.xxx])(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.example.org (Postfix) with ESMTPS id xxx Cheers, Jack-Benny On 08/18/2013 07:41 PM, Andreas Kasenides wrote: My understanding is that this happens automatically during the negotiation phase if the remote server advertises TLS. At least this is what I thought happened during a recent test. And I was certainly using self-signed certificates. Actually very nice things begin to happen when TLS is enabled. See your friendly Postfix logs! Note the opening sentence on the TLS README: "Transport Layer Security (TLS, formerly called SSL) provides certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication." Clearly says about SMTP sessions. This happens for 2.3+ Andreas On 18-08-2013 08:32, Theodotos Andreou wrote: Hi guys, I went through the TLS Readme but I couldn't find a clear answer to the following question: Can you configure postfix in a way that it connects using TLS to another SMTP server, if TLS is available on the other side? For example if the destination server supports TLS then postfix opens a TLS connection to it. Further more can this be done even if you have a self-signed certificate on the destination? Thanks
