OT - TLS question

Thu Sep 24 19:17:38 IST 2009

Charles Lacroix wrote:
>
> Not sure if this can help you, but on my single machine email system i 
> have MailScanner installed and postfix to
> listen on smtps (465) with sasl authentication. That way when an 
> employee is outside of the college, he is forced to
> enter his email password before the mail is sent. This prevents the 
> "open relay".
>
> I also have a webmail installed in case someone wants to use it.
>
>
> Steve Campbell wrote:
>> I'm considering using TLS on our mail server. It's mostly for our 
>> roaming users, and unfortunately, our people in charge are suggesting 
>> we use our main gateway/mail store box instead of setting up a 
>> separate box for "submission".
>>
>> How many of you use TLS for your general incoming mail server? The 
>> main problem I see is that most people might shy away from the 
>> initial acceptance of the certificate, and I don't think I've ever 
>> seen someone else asking me to accept theirs.
>>
>> Am I missing something here?
>>
>> Steve Campbell
>>
>
Thanks Charles,

I'm going to start using saslauthd on port 587. Our roaming users can 
use this and will have to be authenticated. No problem there.

People who send mail now are not required to do this on port 25, and we 
accept mail freely on that port. Got a lot of stuff set up to avoid open 
relaying also. But as I understand it, if I install my certificate and 
use TLS, I can't use it on just one port (587) and everyone that sends 
mail will be asked to accept our certificate, regardless of which port 
they are sending to. This seems like a lot of useless fuss for people 
who are just sending mail to our users. The roamers will be able to 
relay through this server.

Our users (sales staff, wouldn't you know) don't really want to use our 
webmail system out in the field. I kinda don't blame them as it's a 
little clunky. So this is just a way for them to send mail through our 
system and still have the benefits of MailScanner, etc.

As I think I understand this, TLS would just give us encryption as they 
send in their authenication credentials.

steve