Loading ...
Sorry, an error occurred while loading the content.

Re: Server to Server TLS encryption?

Expand Messages
  • lists@rhsoft.net
    ... surely since postfix in this case is the *xclient* here you go http://www.postfix.org/TLS_README.html#client_tls ... cat /etc/postfix/main.cf | grep smtp_
    Message 1 of 6 , Aug 18, 2013
    • 0 Attachment
      Am 18.08.2013 07:32, schrieb Theodotos Andreou:
      > I went through the TLS Readme but I couldn't find a clear answer to the following question:

      surely

      since postfix in this case is the *xclient* here you go
      http://www.postfix.org/TLS_README.html#client_tls

      > Can you configure postfix in a way that it connects using TLS to another SMTP server, if TLS is available on the
      > other side? For example if the destination server supports TLS then postfix opens a TLS connection to it.

      cat /etc/postfix/main.cf | grep smtp_ | grep tls
      smtp_use_tls = yes
      smtp_tls_loglevel = 1
      smtp_tls_cert_file = /etc/postfix/certs/localhost.pem
      smtp_tls_key_file = /etc/postfix/certs/localhost.pem
      smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
      smtp_tls_security_level = may
      smtp_tls_note_starttls_offer = yes
      smtp_tls_session_cache_timeout = 3600s
      smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache
      smtp_tls_exclude_ciphers = DES-CBC3-SHA

      > Further more can this be done even if you have a self-signed certificate on the destination?

      yes
    • Peter
      ... Don t use this, it s obsolete and replaced by ... ... ... this. Peter
      Message 2 of 6 , Aug 18, 2013
      • 0 Attachment
        On 08/18/2013 07:44 PM, lists@... wrote:
        > smtp_use_tls = yes
        Don't use this, it's obsolete and replaced by ...

        > smtp_tls_security_level = may
        ... this.


        Peter
      • Viktor Dukhovni
        On Sun, Aug 18, 2013 at 09:44:05AM +0200, lists@rhsoft.net wrote: Better (leaving default values out): scache = btree:${data_directory}/
        Message 3 of 6 , Aug 18, 2013
        • 0 Attachment
          On Sun, Aug 18, 2013 at 09:44:05AM +0200, lists@... wrote:

          Better (leaving default values out):

          scache = btree:${data_directory}/
          smtp_tls_session_cache_database = ${scache}smtp_scache
          smtp_tls_loglevel = 1
          smtp_tls_security_level = may

          With the security level set to "may", there is little reason to
          bother with a CAfile, delivery proceeds even without a verified
          peer certificate, and often with an anonymous cipher-suite.

          Client certificates are rarely relevant with SMTP.

          --
          Viktor.
        • Andreas Kasenides
          My understanding is that this happens automatically during the negotiation phase if the remote server advertises TLS. At least this is what I thought happened
          Message 4 of 6 , Aug 18, 2013
          • 0 Attachment

            My understanding is that this happens automatically during the negotiation phase if the remote server advertises TLS. At least this is what I thought happened during a recent test. And I was certainly using self-signed certificates. Actually very nice things begin to happen when TLS is enabled. See your friendly Postfix logs!

            Note the opening sentence on the TLS README: "Transport Layer Security (TLS, formerly called SSL) provides certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication." Clearly says about SMTP sessions. This happens for 2.3+

            Andreas

            On 18-08-2013 08:32, Theodotos Andreou wrote:

            Hi guys,
            
            I went through the TLS Readme but I couldn't find a clear answer to the 
            following question:
            
            Can you configure postfix in a way that it connects using TLS to another 
            SMTP server, if TLS is available on the other side? For example if the 
            destination server supports TLS then postfix opens a TLS connection to it.
            
            Further more can this be done even if you have a self-signed certificate 
            on the destination?
            
            Thanks
            

             

             
          • Jack-Benny Persson
            This is my understanding as well. This can be seen in the message source if it has been sent from a server with TLS enabled to another server with TLS. It
            Message 5 of 6 , Aug 18, 2013
            • 0 Attachment
              This is my understanding as well. This can be seen in the message source
              if it has been sent from a server with TLS enabled to another server
              with TLS.

              It looks something like this i believe:

              Received: from mail.example.com (mail.example.com
              [xxx.xxx.xxx.xxx])(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
              (No client certificate requested)
              by mail.example.org (Postfix) with ESMTPS id xxxxxxx

              Cheers,
              Jack-Benny


              On 08/18/2013 07:41 PM, Andreas Kasenides wrote:
              > My understanding is that this happens automatically during the
              > negotiation phase if the remote server advertises TLS. At least this is
              > what I thought happened during a recent test. And I was certainly using
              > self-signed certificates. Actually very nice things begin to happen when
              > TLS is enabled. See your friendly Postfix logs!
              >
              > Note the opening sentence on the TLS README: "Transport Layer Security
              > (TLS, formerly called SSL) provides certificate-based authentication and
              > encrypted sessions. An encrypted session protects the information that
              > is transmitted with SMTP mail or with SASL authentication." Clearly says
              > about SMTP sessions. This happens for 2.3+
              >
              > Andreas
              >
              > On 18-08-2013 08:32, Theodotos Andreou wrote:
              >
              >> Hi guys,
              >>
              >> I went through the TLS Readme but I couldn't find a clear answer to the
              >> following question:
              >>
              >> Can you configure postfix in a way that it connects using TLS to another
              >> SMTP server, if TLS is available on the other side? For example if the
              >> destination server supports TLS then postfix opens a TLS connection to it.
              >>
              >> Further more can this be done even if you have a self-signed certificate
              >> on the destination?
              >>
              >> Thanks
              >
            Your message has been successfully submitted and would be delivered to recipients shortly.