Loading ...
Sorry, an error occurred while loading the content.
 

STARTTLS not announced?!

Expand Messages
  • Nabil Alsharif
    Hi everyone, I just setup postfix on my server but I m having a problem with TLS. I have TLS configured, there are no errors in the log, but the server does
    Message 1 of 20 , Jun 14, 2013
      Hi everyone,

      I just setup postfix on my server but I'm having a problem with TLS. I have TLS configured, there are no errors in the log, but the server does not announce TLS support. Here is the output relevant output from 'postconf -n', the full output is at the end of the message:

      ---------------------------------------------------------------------------------------------------
      smtp_tls_note_starttls_offer = yes
      smtp_use_tls = yes
      smtpd_banner = $myhostname ESMTP
      smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
      smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
      smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
      smtpd_tls_loglevel = 1
      smtpd_tls_security_level = encrypt
      smtpd_use_tls = yes
      -----------------------------------------------------------------------------------------

      Like I said the server does not announce STARTTLS:

      -----------------------------------------------------------------------------------
      tantalum@3antar ~ % telnet sahara-sweets.com 25
      Trying 176.58.120.55...
      Connected to sahara-sweets.com.
      Escape character is '^]'.
      220 circuitsofimagination.com ESMTP
      EHLO test.com
      250-circuitsofimagination.com
      250-PIPELINING
      250-SIZE 10485760
      250-VRFY
      250-ETRN
      250-ENHANCEDSTATUSCODES
      250-8BITMIME
      250 DSN
      QUIT
      221 2.0.0 Bye
      Connection closed by foreign host.

      -------------------------------------------------------------------------------

      Thanks everyone for their help. If there is any info that will help solving this issue I'd be happy to provide it.

      full output form postconf:
      alias_database = hash:/etc/aliases
      alias_maps = hash:/etc/aliases
      command_directory = /usr/sbin
      config_directory = /etc/postfix
      daemon_directory = /usr/libexec/postfix
      data_directory = /var/lib/postfix
      debug_peer_level = 2
      debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd $daemon_directory/$process_name $process_id & sleep 5
      header_checks = regexp:/etc/postfix/header_checks
      home_mailbox = Maildir/
      html_directory = no
      inet_interfaces = all
      inet_protocols = ipv4
      mail_owner = postfix
      mailbox_size_limit = 1073741824
      mailq_path = /usr/bin/mailq.postfix
      manpage_directory = /usr/share/man
      message_size_limit = 10485760
      mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
      mydomain = circuitsofimagination.com
      myhostname = circuitsofimagination.com
      mynetworks = 127.0.0.0/8
      myorigin = $mydomain
      newaliases_path = /usr/bin/newaliases.postfix
      queue_directory = /var/spool/postfix
      readme_directory = /usr/share/doc/postfix-2.9.6/README_FILES
      sample_directory = /usr/share/doc/postfix-2.9.6/samples
      sendmail_path = /usr/sbin/sendmail.postfix
      setgid_group = postdrop
      smtp_tls_note_starttls_offer = yes
      smtp_use_tls = yes
      smtpd_banner = $myhostname ESMTP
      smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
      smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem
      smtpd_tls_auth_only = yes
      smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
      smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
      smtpd_tls_loglevel = 1
      smtpd_tls_security_level = encrypt
      smtpd_use_tls = yes
      unknown_local_recipient_reject_code = 550
      virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_catchall_maps.cf
      virtual_gid_maps = static:89
      virtual_mailbox_base = /var/mail/vhosts
      virtual_mailbox_domains = mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf
      virtual_mailbox_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf, mysql:/etc/postfix/sql/mysql_virtual_alias_domain_mailbox_maps.cf
      virtual_minimum_uid = 89
      virtual_uid_maps = static:89



      Nabil Alsharif.
    • Benny Pedersen
      Nabil Alsharif skrev den 2013-06-15 01:57: please disable html ... smtp_ is for sending ... this disable starttls since we already is using ssl/tls now ... --
      Message 2 of 20 , Jun 14, 2013
        Nabil Alsharif skrev den 2013-06-15 01:57:

        please disable html

        > smtp_tls_note_starttls_offer = yes
        > smtp_use_tls = yes

        smtp_ is for sending

        > smtpd_banner = $myhostname ESMTP
        > smtpd_recipient_restrictions = permit_mynetworks
        > reject_unauth_destination
        > smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem
        > smtpd_tls_auth_only = yes

        this disable starttls since we already is using ssl/tls now

        > smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
        > smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
        > smtpd_tls_loglevel = 1
        > smtpd_tls_security_level = encrypt
        > smtpd_use_tls = yes

        --
        senders that put my email into body content will deliver it to my own
        trashcan, so if you like to get reply, dont do it
      • Wietse Venema
        ... Have you looked at all the warning messages in the maillog file? http://www.postfix.org/DEBUG_README.html#logging Wietse
        Message 3 of 20 , Jun 14, 2013
          Nabil Alsharif:
          > Hi everyone,
          >
          > I just setup postfix on my server but I'm having a problem with TLS. I
          > have TLS configured, there are no errors in the log, but the server does
          > not announce TLS support.Here is the output relevant output from
          > 'postconf -n', the full output is at the end of the message:

          Have you looked at all the warning messages in the maillog file?

          http://www.postfix.org/DEBUG_README.html#logging

          Wietse
        • Nabil Alsharif
          ... My bad.. ... Ok so these two options are telling Postfix to check if STARTTLS is offered by the peer and use TLS if available, right? ... huh? This part I
          Message 4 of 20 , Jun 14, 2013
            On 06/15/2013 02:38 AM, Benny Pedersen wrote:
            > Nabil Alsharif skrev den 2013-06-15 01:57:
            >
            > please disable html
            My bad..

            >
            >> smtp_tls_note_starttls_offer = yes
            >> smtp_use_tls = yes
            >
            > smtp_ is for sending
            Ok so these two options are telling Postfix to check if STARTTLS is
            offered by the peer and use TLS if available, right?
            >
            >
            >> smtpd_banner = $myhostname ESMTP
            >> smtpd_recipient_restrictions = permit_mynetworks
            >> reject_unauth_destination
            >> smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem
            >> smtpd_tls_auth_only = yes
            >
            > this disable starttls since we already is using ssl/tls now
            huh? This part I don't quite understand. How are we disabling TLS? Where
            was it enabled before? when we said smtp_use_tls = yes?

            >
            >> smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
            >> smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
            >> smtpd_tls_loglevel = 1
            >> smtpd_tls_security_level = encrypt
            >> smtpd_use_tls = yes
            >
          • Nabil Alsharif
            On 06/15/2013 02:39 AM, Wietse Venema wrote: Have you looked at all the warning messages in the maillog file? Yes I have, there are no errors or warnings.
            Message 5 of 20 , Jun 14, 2013
              On 06/15/2013 02:39 AM, Wietse Venema wrote:

              Have you looked at all the warning messages in the maillog file?

              Yes I have, there are no errors or warnings. 'postfix check' doesn't
              return any warnings or errors either.
            • /dev/rob0
              ... smtp_* settings control smtp(8), the SMTP client, so no, those are not relevant to the server s failure to announce STARTTLS. (Also, smtp_use_tls is
              Message 6 of 20 , Jun 14, 2013
                On Sat, Jun 15, 2013 at 01:57:12AM +0200, Nabil Alsharif wrote:
                > I just setup postfix on my server but I'm having a problem with
                > TLS. I have TLS configured, there are no errors in the log, but
                > the server does not announce TLS support.Here is the output
                > relevant output from 'postconf -n', the full output is at the
                > end of the message:
                >
                > smtp_tls_note_starttls_offer = yes
                > smtp_use_tls = yes

                smtp_* settings control smtp(8), the SMTP client, so no, those are
                not relevant to the server's failure to announce STARTTLS. (Also,
                smtp_use_tls is deprecated, superceded by smtp_tls_security_level.)

                > smtpd_banner = $myhostname ESMTP
                > smtpd_recipient_restrictions = permit_mynetworks
                > reject_unauth_destination

                Those aren't relevant either. (I'd suggest leaving the default
                $smtpd_banner setting, however.)

                > smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem
                > smtpd_tls_auth_only = yes
                > smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
                > smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem

                I'm no OpenSSL expert, but I'm pretty sure it's wrong to have your
                own server certificate and key in the same file with your CAs. See
                TLS_README.html#server_tls for basic server TLS settings.

                > smtpd_tls_loglevel = 1
                > smtpd_tls_security_level = encrypt

                What? Do you understand what this means? It's not suitable for an
                Internet mail exchanger, because many sites will not use TLS (TLS
                isn't required for mail service.)

                > smtpd_use_tls = yes

                Deprecated, superceded by smtpd_tls_security_level.

                > Like I saidthe server does not announce STARTTLS:

                What you showed us should have announced STARTTLS. I would guess the
                problem is related to the single file certificate+key+CAs. Since you
                mentioned upthread that no errors are logged, check your syslogd (try
                restarting it.) These errors would be logged.
                --
                http://rob0.nodns4.us/ -- system administration and consulting
                Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
              • Benny Pedersen
                ... correct ... it does not disable tls/ssl, but it removes starttls in plain connection without tls/ssl smtpd vs smtp confusion ? with that setting all smtpd_
                Message 7 of 20 , Jun 14, 2013
                  Nabil Alsharif skrev den 2013-06-15 02:59:

                  >>> smtp_tls_note_starttls_offer = yes
                  >>> smtp_use_tls = yes
                  >>
                  >> smtp_ is for sending
                  > Ok so these two options are telling Postfix to check if STARTTLS is
                  > offered by the peer and use TLS if available, right?

                  correct

                  >>> smtpd_banner = $myhostname ESMTP
                  >>> smtpd_recipient_restrictions = permit_mynetworks
                  >>> reject_unauth_destination
                  >>> smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem
                  >>> smtpd_tls_auth_only = yes
                  >>
                  >> this disable starttls since we already is using ssl/tls now
                  > huh? This part I don't quite understand. How are we disabling TLS?
                  > Where was it enabled before? when we said smtp_use_tls = yes?

                  it does not disable tls/ssl, but it removes starttls in plain
                  connection without tls/ssl

                  smtpd vs smtp confusion ?

                  with that setting all smtpd_ clients must use tls or ssl

                  >>> smtpd_tls_cert_file = /etc/pki/dovecot/certs/dovecot.pem
                  >>> smtpd_tls_key_file = /etc/pki/dovecot/private/dovecot.pem
                  >>> smtpd_tls_loglevel = 1
                  >>> smtpd_tls_security_level = encrypt
                  >>> smtpd_use_tls = yes

                  note here its recieving part of postfix not sending

                  --
                  senders that put my email into body content will deliver it to my own
                  trashcan, so if you like to get reply, dont do it
                • Benny Pedersen
                  ... starttls have nothing to do with self signers -- senders that put my email into body content will deliver it to my own trashcan, so if you like to get
                  Message 8 of 20 , Jun 14, 2013
                    /dev/rob0 skrev den 2013-06-15 03:22:

                    > What you showed us should have announced STARTTLS. I would guess the
                    > problem is related to the single file certificate+key+CAs. Since you
                    > mentioned upthread that no errors are logged, check your syslogd (try
                    > restarting it.) These errors would be logged.

                    starttls have nothing to do with self signers

                    --
                    senders that put my email into body content will deliver it to my own
                    trashcan, so if you like to get reply, dont do it
                  • Jan Kohnert
                    ... Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC. -- MfG Jan
                    Message 9 of 20 , Jun 14, 2013
                      Am Samstag, 15. Juni 2013, 03:45:02 schrieb Benny Pedersen:
                      > Nabil Alsharif skrev den 2013-06-15 02:59:
                      > >>> smtpd_tls_auth_only = yes
                      > >>
                      > >> this disable starttls since we already is using ssl/tls now
                      > >
                      > > huh? This part I don't quite understand. How are we disabling TLS?
                      > > Where was it enabled before? when we said smtp_use_tls = yes?
                      >
                      > it does not disable tls/ssl, but it removes starttls in plain
                      > connection without tls/ssl

                      Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC.

                      --
                      MfG Jan
                    • Benny Pedersen
                      ... starttls have nothing to do with auth or not auth users can still send plain passwords over unsecured smtpd client connections, starttls just secure there
                      Message 10 of 20 , Jun 14, 2013
                        Jan Kohnert skrev den 2013-06-15 03:58:

                        > Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC.

                        starttls have nothing to do with auth or not

                        auth users can still send plain passwords over unsecured smtpd client
                        connections, starttls just secure there passwords, so tcpdumpers cant
                        see it

                        postfix still anounce auth on port 25 with sasl disabled in main.cf,
                        here i have only sasl on submission / smtps

                        bug ?

                        --
                        senders that put my email into body content will deliver it to my own
                        trashcan, so if you like to get reply, dont do it
                      • /dev/rob0
                        ... smtp_tls_note_starttls_offer means to note (i.e., log) when a remote server offers STARTTLS. smtp_use_tls=yes is the same as (replaced by)
                        Message 11 of 20 , Jun 14, 2013
                          On Sat, Jun 15, 2013 at 03:45:02AM +0200, Benny Pedersen wrote:
                          > Nabil Alsharif skrev den 2013-06-15 02:59:
                          >
                          > >>> smtp_tls_note_starttls_offer = yes
                          > >>> smtp_use_tls = yes
                          > >>
                          > >>smtp_ is for sending
                          > >Ok so these two options are telling Postfix to check if STARTTLS
                          > >is offered by the peer and use TLS if available, right?
                          >
                          > correct

                          smtp_tls_note_starttls_offer means to note (i.e., log) when a remote
                          server offers STARTTLS. "smtp_use_tls=yes" is the same as (replaced
                          by) "smtp_tls_security_level=may". All of these are covered in the
                          TLS_README.html (except for the deprecated settings, of course.)

                          And none of this is relevant to the $SUBJECT at hand.

                          > >>> smtpd_banner = $myhostname ESMTP
                          > >>> smtpd_recipient_restrictions = permit_mynetworks
                          > >>>reject_unauth_destination
                          > >>> smtpd_tls_CAfile = /etc/pki/dovecot/certs/dovecot.pem
                          > >>> smtpd_tls_auth_only = yes
                          > >>
                          > >>this disable starttls since we already is using ssl/tls now

                          Wrong, Benny. See postconf.5.html#smtpd_tls_auth_only and the
                          correction posted by Jan, with which you tried to argue.

                          > >huh? This part I don't quite understand. How are we
                          > >disabling TLS?

                          We're not. That was wrong.

                          > >Where was it enabled before? when we said smtp_use_tls = yes?

                          That deprecated setting is not relevant.

                          > it does not disable tls/ssl, but it removes starttls in plain
                          > connection without tls/ssl

                          Also wrong.

                          > smtpd vs smtp confusion ?
                          >
                          > with that setting all smtpd_ clients must use tls or ssl

                          With smtpd_tls_security_level=encrypt, yes; not with
                          smtpd_tls_auth_only=yes. Wrong and misleading posts will not help.

                          I think the OP will have to fix the logging problem before we can
                          solve this issue.
                          --
                          http://rob0.nodns4.us/ -- system administration and consulting
                          Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
                        • Benny Pedersen
                          ... it would be more relative simple to use more default settings, if OP is unsure what to do sorry if i write it such it could be missunderstandelble :( --
                          Message 12 of 20 , Jun 14, 2013
                            /dev/rob0 skrev den 2013-06-15 05:27:

                            > I think the OP will have to fix the logging problem before we can
                            > solve this issue.

                            it would be more relative simple to use more default settings, if OP is
                            unsure what to do

                            sorry if i write it such it could be missunderstandelble :(

                            --
                            senders that put my email into body content will deliver it to my own
                            trashcan, so if you like to get reply, dont do it
                          • Jan Kohnert
                            ... Come on, read the documentation: http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only -- MfG Jan
                            Message 13 of 20 , Jun 15, 2013
                              Am Samstag, 15. Juni 2013, 04:03:44 schrieb Benny Pedersen:
                              > Jan Kohnert skrev den 2013-06-15 03:58:
                              > > Well, no, it disables AUTH without tls/ssl but not STARTTLS, IIRC.
                              >
                              > starttls have nothing to do with auth or not

                              Come on, read the documentation:

                              http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

                              --
                              MfG Jan
                            • Benny Pedersen
                              ... do i need to tell it in --verbose ? starttls have nothing to do with auth, just becurse this option have tls and auth in one line does not make tls/ssl
                              Message 14 of 20 , Jun 15, 2013
                                Jan Kohnert skrev den 2013-06-15 10:57:

                                > http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only

                                do i need to tell it in --verbose ?

                                starttls have nothing to do with auth, just becurse this option have
                                tls and auth in one line does not make tls/ssl needed to make auth work

                                --
                                senders that put my email into body content will deliver it to my own
                                trashcan, so if you like to get reply, dont do it
                              • Jeroen Geilman
                                ... Quoted from the above documentation: smtpd_tls_auth_only (default: no) When TLS encryption is optional in the Postfix SMTP server, do not announce or
                                Message 15 of 20 , Jun 15, 2013
                                  On 06/15/2013 12:13 PM, Benny Pedersen wrote:
                                  > Jan Kohnert skrev den 2013-06-15 10:57:
                                  >
                                  >> http://www.postfix.org/postconf.5.html#smtpd_tls_auth_only
                                  >
                                  > do i need to tell it in --verbose ?
                                  >
                                  > starttls have nothing to do with auth, just becurse this option have
                                  > tls and auth in one line does not make tls/ssl needed to make auth work
                                  >

                                  Quoted from the above documentation:

                                  smtpd_tls_auth_only (default: no)
                                  "When TLS encryption is optional in the Postfix SMTP server, do
                                  not announce or accept SASL authentication over unencrypted connections. "

                                  In other words, yes, setting this option in conjunction with
                                  "smtpd_tls_security_level = may" *requires* TLS in order to AUTH.

                                  smtpd_tls_security_level = encrypt means the server will *reject* any
                                  commands that are not STARTTLS, until a TLS connection has been established.

                                  This includes AUTH.

                                  --
                                  J.
                                • Benny Pedersen
                                  ... it does not say it disables auth anywhere, it just says it would not be possible to connect without starttls or not, starttls on its own have nothing to do
                                  Message 16 of 20 , Jun 15, 2013
                                    Jeroen Geilman skrev den 2013-06-15 15:35:

                                    > Quoted from the above documentation:
                                    >
                                    > smtpd_tls_auth_only (default: no)
                                    > "When TLS encryption is optional in the Postfix SMTP server,
                                    > do not announce or accept SASL authentication over unencrypted
                                    > connections. "

                                    it does not say it disables auth anywhere, it just says it would not be
                                    possible to connect without starttls or not, starttls on its own have
                                    nothing to do with auth or not

                                    check your own logs how many clients use starttls without auth

                                    just becurse it seldom seen in real life that no one will send auth
                                    over an non tls/ssl does not mean it does not work

                                    postfix have both auth and starttls, starttls is just for clients to
                                    use ssl/tls on port 25, email clients will not use starttls in 2013,
                                    since submission is the right thing anyway

                                    > In other words, yes, setting this option in conjunction with
                                    > "smtpd_tls_security_level = may" *requires* TLS in order to AUTH.
                                    >
                                    > smtpd_tls_security_level = encrypt means the server will *reject* any
                                    > commands that are not STARTTLS, until a TLS connection has been
                                    > established.
                                    >
                                    > This includes AUTH.

                                    it still not needed to use ssl/tls to make auth work

                                    --
                                    senders that put my email into body content will deliver it to my own
                                    trashcan, so if you like to get reply, dont do it
                                  • Wietse Venema
                                    ... The server does not announce or accept AUTH, therefore AUTH it is disabled. Wietse
                                    Message 17 of 20 , Jun 15, 2013
                                      Benny Pedersen:
                                      > Jeroen Geilman skrev den 2013-06-15 15:35:
                                      >
                                      > > Quoted from the above documentation:
                                      > >
                                      > > smtpd_tls_auth_only (default: no)
                                      > > "When TLS encryption is optional in the Postfix SMTP server,
                                      > > do not announce or accept SASL authentication over unencrypted
                                      > > connections. "
                                      >
                                      > it does not say it disables auth anywhere,

                                      The server does not announce or accept AUTH, therefore AUTH it is disabled.

                                      Wietse
                                    • Benny Pedersen
                                      ... auth does not need starttls, if auth is not anounced then auth is disabled -- senders that put my email into body content will deliver it to my own
                                      Message 18 of 20 , Jun 15, 2013
                                        wietse@... skrev den 2013-06-15 16:13:

                                        > The server does not announce or accept AUTH, therefore AUTH it is
                                        > disabled.

                                        auth does not need starttls, if auth is not anounced then auth is
                                        disabled

                                        --
                                        senders that put my email into body content will deliver it to my own
                                        trashcan, so if you like to get reply, dont do it
                                      • Wietse Venema
                                        ... AUTH requires STARTTLS with smtpd_tls_auth_only=yes. In view of your contributions in recent threads, you are one step away from removal from this mailing
                                        Message 19 of 20 , Jun 15, 2013
                                          > smtpd_tls_auth_only (default: no)
                                          > "When TLS encryption is optional in the Postfix SMTP server,
                                          > do not announce or accept SASL authentication over unencrypted
                                          > connections. "

                                          Benny Pedersen:
                                          > auth does not need starttls, if auth is not anounced then auth is
                                          > disabled

                                          AUTH requires STARTTLS with smtpd_tls_auth_only=yes.

                                          In view of your contributions in recent threads, you are one
                                          step away from removal from this mailing list.

                                          Wietse
                                        • Peter
                                          I do realize that this thread probably shouldn t be continued, however I see some gross miss-statements here that need correcting so that someone browsing the
                                          Message 20 of 20 , Jun 16, 2013
                                            I do realize that this thread probably shouldn't be continued, however I
                                            see some gross miss-statements here that need correcting so that someone
                                            browsing the thread won't be mislead by them at a later time...

                                            On 06/16/2013 01:58 AM, Benny Pedersen wrote:
                                            >> smtpd_tls_auth_only (default: no)
                                            >> "When TLS encryption is optional in the Postfix SMTP server,
                                            >> do not announce or accept SASL authentication over unencrypted
                                            >> connections. "
                                            >
                                            > it does not say it disables auth anywhere, it just says it would not be
                                            > possible to connect without starttls or not,

                                            No it disabled auth until STARTTLS is established. It has nothing to do
                                            with the connection.

                                            > just becurse it seldom seen in real life that no one will send auth over
                                            > an non tls/ssl does not mean it does not work

                                            It does not work if smtpd_tls_auth_only is set to yes.

                                            > starttls is just for clients to use ssl/tls on port 25,

                                            Actually clients shouldn't use port 25, and neither should you be using
                                            auth on port 25. Clients will use STARTTLS on port 587, however, and
                                            both postfix and MUAs can be configured to use STARTTLS on any port you
                                            wish (via master.cf).

                                            > email clients will not use starttls in 2013,

                                            Seriously? So how is an MUA intended to establish an encrypted
                                            connection to an MSA, then?

                                            > since submission is the right thing anyway

                                            Submission is a port (587) which uses the (e)smtp protocol to submit
                                            messages from an MUA (email client) to an MSA (email submission server)
                                            and can use STARTTLS for encryption. There is no other way to do
                                            encryption on the submission port.

                                            > it still not needed to use ssl/tls to make auth work

                                            It is if you set smtpd_tls_auth_only=yes.


                                            Peter
                                          Your message has been successfully submitted and would be delivered to recipients shortly.