Loading ...
Sorry, an error occurred while loading the content.

Re: Server to Server TLS encryption?

Expand Messages
  • Peter
    ... Don t use this, it s obsolete and replaced by ... ... ... this. Peter
    Message 1 of 6 , Aug 18, 2013
    • 0 Attachment
      On 08/18/2013 07:44 PM, lists@... wrote:
      > smtp_use_tls = yes
      Don't use this, it's obsolete and replaced by ...

      > smtp_tls_security_level = may
      ... this.


      Peter
    • Viktor Dukhovni
      On Sun, Aug 18, 2013 at 09:44:05AM +0200, lists@rhsoft.net wrote: Better (leaving default values out): scache = btree:${data_directory}/
      Message 2 of 6 , Aug 18, 2013
      • 0 Attachment
        On Sun, Aug 18, 2013 at 09:44:05AM +0200, lists@... wrote:

        Better (leaving default values out):

        scache = btree:${data_directory}/
        smtp_tls_session_cache_database = ${scache}smtp_scache
        smtp_tls_loglevel = 1
        smtp_tls_security_level = may

        With the security level set to "may", there is little reason to
        bother with a CAfile, delivery proceeds even without a verified
        peer certificate, and often with an anonymous cipher-suite.

        Client certificates are rarely relevant with SMTP.

        --
        Viktor.
      • Andreas Kasenides
        My understanding is that this happens automatically during the negotiation phase if the remote server advertises TLS. At least this is what I thought happened
        Message 3 of 6 , Aug 18, 2013
        • 0 Attachment

          My understanding is that this happens automatically during the negotiation phase if the remote server advertises TLS. At least this is what I thought happened during a recent test. And I was certainly using self-signed certificates. Actually very nice things begin to happen when TLS is enabled. See your friendly Postfix logs!

          Note the opening sentence on the TLS README: "Transport Layer Security (TLS, formerly called SSL) provides certificate-based authentication and encrypted sessions. An encrypted session protects the information that is transmitted with SMTP mail or with SASL authentication." Clearly says about SMTP sessions. This happens for 2.3+

          Andreas

          On 18-08-2013 08:32, Theodotos Andreou wrote:

          Hi guys,
          
          I went through the TLS Readme but I couldn't find a clear answer to the 
          following question:
          
          Can you configure postfix in a way that it connects using TLS to another 
          SMTP server, if TLS is available on the other side? For example if the 
          destination server supports TLS then postfix opens a TLS connection to it.
          
          Further more can this be done even if you have a self-signed certificate 
          on the destination?
          
          Thanks
          

           

           
        • Jack-Benny Persson
          This is my understanding as well. This can be seen in the message source if it has been sent from a server with TLS enabled to another server with TLS. It
          Message 4 of 6 , Aug 18, 2013
          • 0 Attachment
            This is my understanding as well. This can be seen in the message source
            if it has been sent from a server with TLS enabled to another server
            with TLS.

            It looks something like this i believe:

            Received: from mail.example.com (mail.example.com
            [xxx.xxx.xxx.xxx])(using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
            (No client certificate requested)
            by mail.example.org (Postfix) with ESMTPS id xxxxxxx

            Cheers,
            Jack-Benny


            On 08/18/2013 07:41 PM, Andreas Kasenides wrote:
            > My understanding is that this happens automatically during the
            > negotiation phase if the remote server advertises TLS. At least this is
            > what I thought happened during a recent test. And I was certainly using
            > self-signed certificates. Actually very nice things begin to happen when
            > TLS is enabled. See your friendly Postfix logs!
            >
            > Note the opening sentence on the TLS README: "Transport Layer Security
            > (TLS, formerly called SSL) provides certificate-based authentication and
            > encrypted sessions. An encrypted session protects the information that
            > is transmitted with SMTP mail or with SASL authentication." Clearly says
            > about SMTP sessions. This happens for 2.3+
            >
            > Andreas
            >
            > On 18-08-2013 08:32, Theodotos Andreou wrote:
            >
            >> Hi guys,
            >>
            >> I went through the TLS Readme but I couldn't find a clear answer to the
            >> following question:
            >>
            >> Can you configure postfix in a way that it connects using TLS to another
            >> SMTP server, if TLS is available on the other side? For example if the
            >> destination server supports TLS then postfix opens a TLS connection to it.
            >>
            >> Further more can this be done even if you have a self-signed certificate
            >> on the destination?
            >>
            >> Thanks
            >
          Your message has been successfully submitted and would be delivered to recipients shortly.