Loading ...
Sorry, an error occurred while loading the content.
 

Re: STARTTLS not announced?!

Expand Messages
  • Wietse Venema
    ... AUTH requires STARTTLS with smtpd_tls_auth_only=yes. In view of your contributions in recent threads, you are one step away from removal from this mailing
    Message 1 of 20 , Jun 15, 2013
      > smtpd_tls_auth_only (default: no)
      > "When TLS encryption is optional in the Postfix SMTP server,
      > do not announce or accept SASL authentication over unencrypted
      > connections. "

      Benny Pedersen:
      > auth does not need starttls, if auth is not anounced then auth is
      > disabled

      AUTH requires STARTTLS with smtpd_tls_auth_only=yes.

      In view of your contributions in recent threads, you are one
      step away from removal from this mailing list.

      Wietse
    • Peter
      I do realize that this thread probably shouldn t be continued, however I see some gross miss-statements here that need correcting so that someone browsing the
      Message 2 of 20 , Jun 16, 2013
        I do realize that this thread probably shouldn't be continued, however I
        see some gross miss-statements here that need correcting so that someone
        browsing the thread won't be mislead by them at a later time...

        On 06/16/2013 01:58 AM, Benny Pedersen wrote:
        >> smtpd_tls_auth_only (default: no)
        >> "When TLS encryption is optional in the Postfix SMTP server,
        >> do not announce or accept SASL authentication over unencrypted
        >> connections. "
        >
        > it does not say it disables auth anywhere, it just says it would not be
        > possible to connect without starttls or not,

        No it disabled auth until STARTTLS is established. It has nothing to do
        with the connection.

        > just becurse it seldom seen in real life that no one will send auth over
        > an non tls/ssl does not mean it does not work

        It does not work if smtpd_tls_auth_only is set to yes.

        > starttls is just for clients to use ssl/tls on port 25,

        Actually clients shouldn't use port 25, and neither should you be using
        auth on port 25. Clients will use STARTTLS on port 587, however, and
        both postfix and MUAs can be configured to use STARTTLS on any port you
        wish (via master.cf).

        > email clients will not use starttls in 2013,

        Seriously? So how is an MUA intended to establish an encrypted
        connection to an MSA, then?

        > since submission is the right thing anyway

        Submission is a port (587) which uses the (e)smtp protocol to submit
        messages from an MUA (email client) to an MSA (email submission server)
        and can use STARTTLS for encryption. There is no other way to do
        encryption on the submission port.

        > it still not needed to use ssl/tls to make auth work

        It is if you set smtpd_tls_auth_only=yes.


        Peter
      Your message has been successfully submitted and would be delivered to recipients shortly.