On 10/18/2011 12:04 PM, Simon Brereton wrote: > On 13 October 2011 20:11, Noel Jones <njo...@megan.vbhcs.org> wrote: >> The only place you should really care about encryption is if your >> own clients submit SASL authenticated mail -- the far most common >> auth mechanisms are PLAIN and LOGIN which really should be protected >> inside a TLS connection. This is commonly controlled by using >> "smtpd_tls_auth_only = yes", and if you use the recommended >> submission port, setting '-o smtpd_enforce_tls=yes' on the >> submission entry in master.cf. In these cases, if TLS isn't used or >> doesn't work, the client can't transfer mail. > > > Sorry to resurrect this - and gmail won't let me amend the subject. > After reading this, I was concerned about my submission port > settings.. I have: > > 10 submission inet n - n - - smtpd > 11 -o smtpd_delay_reject=yes > 12 -o receive_override_options=no_address_mappings > 13 -o content_filter=dksign:[127.0.0.1]:10028 > 14 -o smtpd_enforce_tls=yes > 15 -o smtpd_sasl_auth_enable=yes > 16 -o smtpd_client_restrictions=permit_sasl_authenticated,reject > > > Is "smtpd_enforce_tls=yes" a suitable replacement/substitute for > "smtpd_tls_auth_only = yes?
They do different things; I expect most people use both. smtpd_enforce_tls is obsolete, instead use -o smtpd_tls_security_level=encrypt This setting will reject all mail from unencrypted connections. The "encrypt" setting must not be used on a public-facing port 25, but is widely used and recommended on the submission port. smtpd_tls_auth_only prevents postfix from offering or accepting the AUTH command until after an encrypted session is started. It is commonly used on both the submission port and on port 25. > > The TLS readme only talks about smtpd_tls_auth_only (and warns > against it) for server-server connections. I don't see that. http://www.postfix.org/TLS_README.html#server_tls_auth doesn't mention servers. http://www.postfix.org/TLS_README.html#server_enable mentions both smtpd_tls_security_level and the obsolete smtpd_enforce_tls, and warns that encryption must not be required on public-facing SMTP servers (that means your MX on port 25). -- Noel Jones
