Prev: Maildir ownership/permission flags
Next: Bad Header: Non-encoded 8-bit data
From: "Daniel L. Miller" on 2 Mar 2010 15:30
Victor Duchovni wrote:
> On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
>
>
>> 192.168.0.110:126 inet n - - - - smtpd
>> -o smtpd_tls_security_level=may
>> -o smtpd_sasl_auth_enable=yes
>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>
>> connect with Thunderbird to this address & port set to TLS - works. SSL
>> does not.
>>
>
> Why do you expect SMTP after SSL to work on a port that supports SSL
> after SMTP?
>
> http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
>
Ok - inferring from that, I tried:
192.168.0.110:128 inet n - - - - smtpd
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject

Now connecting from Thunderbird SSL works - TLS does not. Just
confirming - is this expected and proper behaviour?

--
Daniel

From: Victor Duchovni on 2 Mar 2010 15:42
On Tue, Mar 02, 2010 at 12:30:21PM -0800, Daniel L. Miller wrote:

> Ok - inferring from that, I tried:
> 192.168.0.110:128 inet n - - - - smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> Now connecting from Thunderbird SSL works - TLS does not. Just confirming
> - is this expected and proper behaviour?

Yes, of course. SSL after SMTP won't work with a service that runs SMTP
after SSL. The "SMTP inside SSL" service and "SSL inside SMTP" services
are not inter-operable and cannot be deployed on the same port.

The "SMTP over SSL" service (wrappermode=yes) is a legacy non-standard
service and should be phased out once all clients support "SSL over SMTP"
(aka STARTTLS).

--
Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.

From: Noel Jones on 2 Mar 2010 16:12
On 3/2/2010 2:30 PM, Daniel L. Miller wrote:
> Victor Duchovni wrote:
>> On Tue, Mar 02, 2010 at 11:33:48AM -0800, Daniel L. Miller wrote:
>>
>>> 192.168.0.110:126 inet n - - - - smtpd
>>> -o smtpd_tls_security_level=may
>>> -o smtpd_sasl_auth_enable=yes
>>> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>>
>>> connect with Thunderbird to this address & port set to TLS - works.
>>> SSL does not.
>>
>> Why do you expect SMTP after SSL to work on a port that supports SSL
>> after SMTP?
>>
>> http://www.postfix.org/postconf.5.html#smtpd_tls_wrappermode
> Ok - inferring from that, I tried:
> 192.168.0.110:128 inet n - - - - smtpd
> -o smtpd_tls_wrappermode=yes
> -o smtpd_sasl_auth_enable=yes
> -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>
> Now connecting from Thunderbird SSL works - TLS does not. Just
> confirming - is this expected and proper behaviour?
>

Yes, that's expected. SSL wrappermode is incompatible with
standard SMTP or STARTTLS.

Typically wrappermode is specified only on port 465, which is
commonly referred to as the smtps port.

-- Noel Jones

First  |  Prev  | 
Pages: 1 2 3
Prev: Maildir ownership/permission flags
Next: Bad Header: Non-encoded 8-bit data