OT - TLS question
ka at pacific.net
Thu Sep 24 19:34:17 IST 2009
Steve Campbell wrote:
> Charles Lacroix wrote:
>> Not sure if this can help you, but on my single machine email system i
>> have MailScanner installed and postfix to
>> listen on smtps (465) with sasl authentication. That way when an
>> employee is outside of the college, he is forced to
>> enter his email password before the mail is sent. This prevents the
>> "open relay".
>> I also have a webmail installed in case someone wants to use it.
>> Steve Campbell wrote:
>>> I'm considering using TLS on our mail server. It's mostly for our
>>> roaming users, and unfortunately, our people in charge are suggesting
>>> we use our main gateway/mail store box instead of setting up a
>>> separate box for "submission".
>>> How many of you use TLS for your general incoming mail server? The
>>> main problem I see is that most people might shy away from the
>>> initial acceptance of the certificate, and I don't think I've ever
>>> seen someone else asking me to accept theirs.
>>> Am I missing something here?
>>> Steve Campbell
> Thanks Charles,
> I'm going to start using saslauthd on port 587. Our roaming users can
> use this and will have to be authenticated. No problem there.
> People who send mail now are not required to do this on port 25, and we
> accept mail freely on that port. Got a lot of stuff set up to avoid open
> relaying also. But as I understand it, if I install my certificate and
> use TLS, I can't use it on just one port (587) and everyone that sends
> mail will be asked to accept our certificate, regardless of which port
> they are sending to. This seems like a lot of useless fuss for people
> who are just sending mail to our users. The roamers will be able to
> relay through this server.
> Our users (sales staff, wouldn't you know) don't really want to use our
> webmail system out in the field. I kinda don't blame them as it's a
> little clunky. So this is just a way for them to send mail through our
> system and still have the benefits of MailScanner, etc.
> As I think I understand this, TLS would just give us encryption as they
> send in their authenication credentials.
Signed ssl certs are cheap these days.
Or you could have a separate sendmail listening on 587 (separate config
Pacific Internet - http://www.pacific.net
More information about the MailScanner