David Ballano wrote:
Hello everybody,
I have almost setup my postfix, that's what I've done.
configured postfix with TLS SASL2 via pam (saslauthd) with virtual
domains and unix accounts that's my main.cf
but here is something I think is not going ok. with this method of
auth saslauth I read that only I can use plain and login mech's but
that's no problem because I configured tls for stmp.
Yes those are common settings.
but what happens if some client don't use tls?
All modern mail clients support TLS. Some ancient mail
clients (and some smartphones) only support "wrappermode"
encryption on the deprecated "smtps" port 465.
You may want to accept "wrappermode" connections on port 465
if you have those clients. See TLS_README.
You also might want to enable the "submission" port 587 if you
haven't already. This is useful if the client's ISP blocks
outbound port 25 connections. See the sample entry in master.cf.
I tried, and without
tls can't send mail to other domains (relay acces denied), but I can
send mails to myself is that normal?
Yes, mail to yourself is not a relay, so is accepted from
anyone. This is normal - it's how I'm able to send you mail.
I'm a bit confused because if
some client don't use tls someone can get passwords and send mails
not outside but inside.
You've correctly set in main.cf:
smtpd_tls_auth_only = yes
so that your postfix will not even offer AUTH to non-tls
clients. With this setting, client passwords will always be
sent in an encrypted tunnel.
is there a solution for that?, maybe telling postfix always to use
tls, and if client not use tls reject the email, how?
That's what "smtpd_tls_auth_only = yes" does.
I see no problem here.
--
Noel Jones
