Re: STARTTLS not announced?!
- I do realize that this thread probably shouldn't be continued, however I
see some gross miss-statements here that need correcting so that someone
browsing the thread won't be mislead by them at a later time...
On 06/16/2013 01:58 AM, Benny Pedersen wrote:
>> smtpd_tls_auth_only (default: no)
>> "When TLS encryption is optional in the Postfix SMTP server,
>> do not announce or accept SASL authentication over unencrypted
>> connections. "
> it does not say it disables auth anywhere, it just says it would not be
> possible to connect without starttls or not,
No it disabled auth until STARTTLS is established. It has nothing to do
with the connection.
> just becurse it seldom seen in real life that no one will send auth over
> an non tls/ssl does not mean it does not work
It does not work if smtpd_tls_auth_only is set to yes.
> starttls is just for clients to use ssl/tls on port 25,
Actually clients shouldn't use port 25, and neither should you be using
auth on port 25. Clients will use STARTTLS on port 587, however, and
both postfix and MUAs can be configured to use STARTTLS on any port you
wish (via master.cf).
> email clients will not use starttls in 2013,
Seriously? So how is an MUA intended to establish an encrypted
connection to an MSA, then?
> since submission is the right thing anyway
Submission is a port (587) which uses the (e)smtp protocol to submit
messages from an MUA (email client) to an MSA (email submission server)
and can use STARTTLS for encryption. There is no other way to do
encryption on the submission port.
> it still not needed to use ssl/tls to make auth work
It is if you set smtpd_tls_auth_only=yes.