OT - TLS question

Charles Lacroix clacroix at cegep-ste-foy.qc.ca
Thu Sep 24 19:26:43 IST 2009 

Steve Campbell wrote:
>
>
> Charles Lacroix wrote:
>>
>> Not sure if this can help you, but on my single machine email system 
>> i have MailScanner installed and postfix to
>> listen on smtps (465) with sasl authentication. That way when an 
>> employee is outside of the college, he is forced to
>> enter his email password before the mail is sent. This prevents the 
>> "open relay".
>>
>> I also have a webmail installed in case someone wants to use it.
>>
>>
>> Steve Campbell wrote:
>>> I'm considering using TLS on our mail server. It's mostly for our 
>>> roaming users, and unfortunately, our people in charge are 
>>> suggesting we use our main gateway/mail store box instead of setting 
>>> up a separate box for "submission".
>>>
>>> How many of you use TLS for your general incoming mail server? The 
>>> main problem I see is that most people might shy away from the 
>>> initial acceptance of the certificate, and I don't think I've ever 
>>> seen someone else asking me to accept theirs.
>>>
>>> Am I missing something here?
>>>
>>> Steve Campbell
>>>
>>
> Thanks Charles,
>
> I'm going to start using saslauthd on port 587. Our roaming users can 
> use this and will have to be authenticated. No problem there.
>
> People who send mail now are not required to do this on port 25, and 
> we accept mail freely on that port. Got a lot of stuff set up to avoid 
> open relaying also. But as I understand it, if I install my 
> certificate and use TLS, I can't use it on just one port (587) and 
> everyone that sends mail will be asked to accept our certificate, 
> regardless of which port they are sending to. This seems like a lot of 
> useless fuss for people who are just sending mail to our users. The 
> roamers will be able to relay through this server.
>
> Our users (sales staff, wouldn't you know) don't really want to use 
> our webmail system out in the field. I kinda don't blame them as it's 
> a little clunky. So this is just a way for them to send mail through 
> our system and still have the benefits of MailScanner, etc.
>
> As I think I understand this, TLS would just give us encryption as 
> they send in their authenication credentials.
>
> steve
>
The ssl/tls layer is there to make sure passwords aren't passed in 
clear. But ... if you let your users pop/imap in clear, why not add smtp 
on 587 with sasl too
and skip the TLS and self-signed certificate and the zillion of questions.

It all depends on your paranoia level :)

Later
Charles

More information about the MailScanner mailing list