On Tue, Nov 02, 2010 at 10:27:07AM -0400, Zhou, Yan wrote:
> I have two Postfix instances, I wish to set up
> 1. one with SSL so that clients can connect and send messages to it,
> WITHOUT authentication but the session is secure, this requires Postfix
> with TLS support.
> 2. the other with SASL2 support so that clients will need
> authentication, but the user database is set up on LDAP.
These requirements are not incompatible. A *single* Postfix instance
- Support STARTTLS, and even attempt to enforce it for some
clients via access tables that trigger "reject_plaintext_session".
- Support SASL auth, and require it for sending outbound email or
in general. For submission, the recommended approach is to have
submission clients use a port 587 service that enforces both
TLS and SASL auth.
> 3. I also wish to use DoveCot to get messages from the 2nd Postfix,
> DoveCot require SMTP authentication, too.
Dovecot requires SASL (not SMTP) authentication, and in fact
can act as a SASL back-end for the Postfix SMTP server. See
> 1. can one Postfix server with multiple IPs serving both needs? I know
> Postfix can route messages differently based on IP, but not sure whether
> it can support different authentication mechanism on one instance.
- You don't need multiple IPs. Just a suitable access policy
- TLS is not an authentication mechanism, unless you are one of the
few and the brave using client certs (don't on a port 25 service,
but some submission port 587 servers request/require client certs).
> 2. How do I know my pre-installed Postfix 2.3.3 already has TLS support
> built-in or not? I read that this may require a recompilation with TLS
> flag enabled.
if an error is returned, you need to recompile. Postfix 2.3 is very
old an no longer supported/updated, you really should be using 2.4
or later, ideally 2.7.1 if you plan to upgrade.
> 3. How do I know pre-installed DoveCot already has LDAP support
> built-in, or does it require a recompilation?
This is the Postfix list.