On 12/06/2011 04:34 PM, Grant wrote:
Do you know how smtps comes into play? Right now I've got the following uncommented in master.cf: smtp inet n - n - - smtpd smtps inet n - n - - smtpd -o smtpd_tls_wrappermode=yes Should I write an smtpsd line or does tlsproxy make that unnecessary?
SMTPS is deprecated. You probably don't need it at all, unless you do. Some older (Microsoft...) clients can't use anything else for encryption.
These days, the "proper" way to secure your users' connections is with TLS on the submission port, 587. You should also have a commented-out 'submission' line in your master.cf; that's what it's for.
The idea is that you can force encryption on port 587, and have your users connect there instead of port 25. Then, the only restriction you need for those connections is that the username/password be correct. The rest of the mail comes in on port 25, unencrypted, as usual, and is subjected to your anti-spam checks.
If you're using either SMTPS or the submission service, you don't need to change them. Your users will continue to connect to port 465 (smtps) or 587 (submission), bypassing postscreen entirely.
If you're not using the submission service, i.e. both external and user-submitted mail come in on port 25, then you'll probably want to exempt your users from the postscreen restrictions:
http://www.postfix.org/postconf.5.html#postscreen_access_list but you should really be using the submission port!
