Re: Configuring TLS with sender login maps

Sat, 02 Apr 2011 12:59:15 -0700 

On 04/02/2011 09:50 PM, Alex wrote:


Okay, I think I have it working correctly now. I believe my mistake
was with using the incorrect ports for authentication.



Authentication doesn't have a "port" - it is an integral part of the 
SMTP protocol.



I think I may
not fully understand the logic behind the whole process still,
however.

I've changed smtpd_tls_security_level to 'may' from 'encrypt' in
main.cf because it also needs to be able to accept mail from non-TLS
authenticated clients (which are actually other postfix servers) in
addition to my K9 android mail client.

   



You shouldn't run TLS at all on port 25 if you're not using it for 
submission - and there is no reason to do so.



Unlike my cell phone, these other mail server have fixed IP addresses.
I believe there is a way to specify a list of servers that explicitly
do not require TLS, is that correct?

   


Yes, but unnecessary.


In master.cf, I have the following:

submission inet n       -       n       -       -       smtpd
   -o smtpd_tls_security_level=encrypt
   -o smtpd_sasl_auth_enable=yes
   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
   -o milter_macro_daemon_name=ORIGINATING

If I understand this correctly, the connection is first established
over TLS through port 25, then this section enables SASL over that TLS
connection, and only if there is a TLS connection, correct?

   


No.
Submission is a TCP service on port 587, so this daemon listens on port 587.


I am using the default dovecot certificates.



Certificates have nothing to do with SMTP AUTH, and dovecot is not 
involved in either SMTP or TLS.


They are used to validate the client in a TLS connection.


  I have been unable to
locate the applications to create a new cert on my fedora14 box.


That would be openssl.

man openssl will have details on how to generate a certificate, but 
X.509 is a whole 'nother subject.



What
am I missing that the lines below state a client certificate was not
requested? Is that an issue with my mail client on my phone, or the
dovecot configuration?

   

Since dovecot does not use the certificate in any way - unless you're 
talking about *IMAP* over TLS - it is a postfix configuration issue.


Read http://www.postfix.org/postconf.5.html#smtpd_tls_ask_ccert for details.


--
J.























					Reply via email to