>I read through mts.conf man page and even into mts/smtp/smtp.c, and I >honestly can't really figure if/when it picks submission over port-25.
Well, I won't go into the history but we changed this default a while ago. However, there's not a great place to specify the _port_ number in mts.conf; we never decided on the syntax for specifying that since IPv6 addresses can contain colons in them so that removes the logical choice and there wasn't a lot of momemtum to pick something. However, it _IS_ selectable via the -port switch to send/post and this is documented in the send(1) man page, and that's where the details are given about exactly what port is being used by default. If there's a reason you didn't look in there I'd be interested in hearing about it. >It's not, in the end, a big deal, but I did wonder about it, and I think >that maybe the mts.conf (mh-tailor) should say more. Presently it says: > > A single hostname to be used when performing mail **submission** > via SMTP. Previous It is not possiā ble to change the mail > submission port number in the servers entry; see the -port switch > to send(1) for this functionality. Oh, huh, so we did say that? I mean ... it refers to the right place with the documentation. Oh, huh, I see what you mean; we don't actually say anywhere what the defaults are. Fair point! I will look at fixing that. >I don't think we suport TLS client authentication at all for >submissions. I presently run postfix on localhost, and then I smarthost >via authenticated SMTP on port 26. Because port-25 would be blocked. >Perhaps I ought move to sending to my smarthost via submissions port, >but I'd want to use TLS client authentication/authorization. What, EXACTLY, do you mean by "TLS client authentication"? - Do we support TLS? Yes! Via STARTTLS or "initial TLS" - Do we support authentication? Yes! Via SMTP AUTH, and it supports all of the mechanisms supported by the Cyrus SASL library, and they can run over TLS. - Do we support client certificate submission during TLS negotation? No. If this is what you want ... well, I'm a little surprised, as I work in an environment that makes heavy use of TLS client certificates and as far as I know this is never done for SMTP (web servers, yes, but SMTP, no). I would have to look at what it would take to add that. I imagine there are a few bits of magic you need to tell the TLS library where the certificate and private key are located. I have a question: do you specify the SASL EXTERNAL mechanism if you are doing this? --Ken
