On Mon, Dec 08, 2003, [EMAIL PROTECTED] wrote: > I'm also a bit confused about TLS. As far I understand, TLS allows hole > connection to be encrypted, while SASL only enables authentication. In doub, I > prefere to build with both supports and see later if I realy support them. > I would like to encourage you to build postfix with both SASL and TLS from the start, because I've done this myself and found it to be a very useful combination.
Just stay away from the CURRENT postfix package for one reason. We update the various components (logsum, TLS, LDAP...) immediately. The TLS version must match the main postfix version to work correctly, and it sometimes takes some days for this synchronization to happen (the different authors of the different components do their work at different times). So during these days TLS can be broken. This happily won't happen with release packages, so stick to the 1.3 postfix release. Also if you're confused about TLS, then consider two possibilities with postfix. The first involves postfix demanding that the client send the 'STARTTLS' opcode before any other activity (including authentication). That way, you don't have to worry about anything between client and server getting sent in cleartext. The second doesn't involve STARTTLS at all. Instead, the client authenticates itself to postfix using a client X.509 certificate. Postfix knows the fingerprint of each client you decide to allow, and so can allow the following SMTP exchange or not. Of course, you can use both of these possibilities in combination to do both authentication and encryption. I personally find the X.509 authentication too restrictive because a certificate must be installed in each client before it's allowed to send email. That's why I use SMTPAUTH (our sasl package). This could potentially send the sasl passwords in the clear, so I've configured postfix to demand that 'STARTTLS' happens before any authentication. You get it? Regards, Michael -- [EMAIL PROTECTED] Development Team, Operations Northern Europe Cable & Wireless Telecommunications Services GmbH
pgp00000.pgp
Description: PGP signature
