Loading ...
Sorry, an error occurred while loading the content.

290940Re: Sufficiently locked down?

Expand Messages
  • Stan Hoeppner
    Jan 25, 2013
    • 0 Attachment
      On 1/25/2013 10:18 AM, btb@... wrote:
      > On Jan 24, 2013, at 22.57, Stan Hoeppner wrote:

      >> The primary features of the submission service are TLS encryption and
      >> authentication.
      >
      > the primary feature of the submission service is to provide different ports for servers and clients,

      You might want to read this before repeating your statement above:

      http://www.engardelinux.org/modules/index/list_archives.cgi?list=postfix-users&page=0425.html&month=2012-03

      Note that the port is TCP 587, that TLS is enabled, and auth is enabled.
      The submission service isn't simply for separating traffic on different
      ports. It's for secure submission of user mail with auth, over the
      wire. It is not intended for submission via IPC.

      > ...the submission protocol defines a port for clients to use, period.

      Again, not true. See above.

      >> Even the user logging of submission is useless, as it's a single user box.
      >
      > hmm, not sure where you got this idea. there have been no such statements from the op.

      Long experience. The only reason to use the submission service in an
      IPC scenario is on a multiuser webmail server with local Postfix. The
      submission service logs the authenticated user name. So even though the
      encryption and authentication are useless for security reasons in an IPC
      submission scenario, having the username logged is advantageous. For
      instance if a user spams, is being abusive, sends threats, etc, the
      admin can track down who sent the emails.

      This is the only scenario where using the submission service for IPC
      submission makes any sense. So again, for a single user box running
      both the MUA and Postfix, one is better off using the standard smtpd
      server on TCP 25, or creating a non TLS/auth submission service on an
      arbitrary port.

      --
      Stan
    • Show all 13 messages in this topic