Loading ...
Sorry, an error occurred while loading the content.

293849Re: STARTTLS not announced?!

Expand Messages
  • Peter
    Jun 16, 2013
      I do realize that this thread probably shouldn't be continued, however I
      see some gross miss-statements here that need correcting so that someone
      browsing the thread won't be mislead by them at a later time...

      On 06/16/2013 01:58 AM, Benny Pedersen wrote:
      >> smtpd_tls_auth_only (default: no)
      >> "When TLS encryption is optional in the Postfix SMTP server,
      >> do not announce or accept SASL authentication over unencrypted
      >> connections. "
      > it does not say it disables auth anywhere, it just says it would not be
      > possible to connect without starttls or not,

      No it disabled auth until STARTTLS is established. It has nothing to do
      with the connection.

      > just becurse it seldom seen in real life that no one will send auth over
      > an non tls/ssl does not mean it does not work

      It does not work if smtpd_tls_auth_only is set to yes.

      > starttls is just for clients to use ssl/tls on port 25,

      Actually clients shouldn't use port 25, and neither should you be using
      auth on port 25. Clients will use STARTTLS on port 587, however, and
      both postfix and MUAs can be configured to use STARTTLS on any port you
      wish (via master.cf).

      > email clients will not use starttls in 2013,

      Seriously? So how is an MUA intended to establish an encrypted
      connection to an MSA, then?

      > since submission is the right thing anyway

      Submission is a port (587) which uses the (e)smtp protocol to submit
      messages from an MUA (email client) to an MSA (email submission server)
      and can use STARTTLS for encryption. There is no other way to do
      encryption on the submission port.

      > it still not needed to use ssl/tls to make auth work

      It is if you set smtpd_tls_auth_only=yes.

    • Show all 20 messages in this topic