On 10/10/2013 09:37 PM, Les Fenison wrote:
> The docs say SSL and TLS are the same thing but I think we all know
> better.. I am not an expert so I am not sure of the differences except
> that when in Outlook configuring the send/receive settings, we have a
> choice of None, SSL, or TLS.
>
> TLS succeeds, SSL fails until I make this change..
>
> tls-level=smtps
>
> But when I do that, we suddenly stop receving emails from servers like
> gmail and many others. While the mail flow doesn't stop entirely, it
> is blocking about 50% because of this.
>
> So, how can we have it both ways? I want my customers to be able to
> use SSL or TLS, yet I want to be able to receive mail from all mail
> servers.. Is this possible? Here is some of my configuration that
> may apply..
>
>
> smtp-auth-level=observe
> smtp-auth-command=/var/qmail/bin/smtp_auth /var/qmail/bin/true
> /var/qmail/bin/cmd5checkpw /bin/true
> hostname=zeus.mydomain.com
> #hostname-file=FILE
> #hostname-command=COMMAND
> tls-level=smtp
> tls-certificate-file=/var/qmail/control/servercert.pem
> #tls-privatekey-file=FILE
> #tls-privatekey-password=PASSWORD
> #tls-privatekey-password-file=FILE
>
> Running spamdyke 4.3.1+TLS+CONFIGTEST+DEBUG
> Server is Plesk 11.5
> CentOS 6.4
>
> In my smtps_psa file I have this...
>
> service smtps
> {
> socket_type = stream
> protocol = tcp
> wait = no
> disable = no
> user = root
> flags = IPv6
> instances = UNLIMITED
> env = SMTPAUTH=1
> server = /var/qmail/bin/tcp-env
> server_args = -Rt0 /usr/local/bin/spamdyke -f
> /etc/spamdyke.conf /var/qmail/bin/relaylock /var/qmail/bin/qmail-smtpd
> /var/qmail/bin/smtp_auth /var/qmail/bin/true /var/qmail/bin/cmd5checkpw
> /var/qmail/bin/true
> }
>
>
>
> Any help would be appreciated.
>
> _______________________________________________
I'll try to explain this off the top of my head.
It annoys me too when SSL and TLS are said to be the same. They both use
the same SSL encryption, but the way that they're implemented are indeed
different.
SSL came first, and is implemented such that every connection on a port
must use SSL. Hence 2 ports are required when a service may or may not
use SSL, and the port used determines whether or not encryption is used.
So we see IMAP using port 143, IMAPS using 993, etc.
TLS was later developed to alleviate the need for having 2 different
ports for a service, and is thus simpler and more efficient. TLS
encryption is negotiated using STARTTLS after the port connection is
made, so an unencrypted connection changes to encrypted on the fly.
On a side note with regards to smtp, smtps (or ssmpt) on port 465 was
never actually made a standard (in an RFC), oddly enough. It has however
been pretty widely implemented ttbomk.
That being said, I'm not familiar with Plesk, so I'm not certain about
how to fix your setup. I believe however that if you want to support
both SSL and TLS protocols for submissions, you'll want to set up port
587 for TLS submissions and 465 for SSL submissions, with authentication
required on both ports. That way you won't affect emails coming from
outside servers using port 25 (and TLS quite often).
Note that clients using TLS may still use port 25 for submissions
(unless you have smtp-auth disabled somehow on that port), but port 587
is preferred for TLS submissions. Clients using SSL (not TLS) must use
port 465.
Capisce?
--
-Eric 'shubes'
_______________________________________________
spamdyke-users mailing list
[email protected]
http://www.spamdyke.org/mailman/listinfo/spamdyke-users
