On Tue, Apr 05, 2011 at 01:02:11PM -0700, Fire walls wrote:
> I want to move to TLS, I already had my certs and they ware working, I want
> to setup Postfix MTA to use my Certs and be more secure.
TLS is not a synonym for security. Enabling TLS does not necessarily
make your mail server "more secure". The opposite may be true, if you
don't really benefit from TLS, but all the additional code makes attacks
against the server more likely.
This said, TLS can protect PLAIN SASL authentication on port 587 for
roaming users. TLS can also facilitate "secure-channel" mail delivery to
selected business partners. Finally, opportunistic TLS thwarts passive
wiretap of your mail traffic to peers that support TLS. If one of these
is your use case for TLS, then read:
http://www.postfix.org/TLS_README.html
> I had read postfix info and looks like I understand the setup, my doubt is
> with my spam-gateway, right now my spam-gateway receive the inbound messages
> and latter it send it back to my MTA working.
If Postfix is not the first hop for incoming mail, you can't use Postfix
for TLS with incoming mail, that needs to be done by the first-hop SMTP
talker, unless the first hop proxies the connection through and is willing
to allow TLS traffic to flow through uninspected.
Similarly for outbound mail, TLS is only useful between the final SMTP
talker at your site and the rest of the world.
--
Viktor.
