OT - TLS question

Ken A ka at pacific.net
Thu Sep 24 19:34:17 IST 2009


Steve Campbell wrote:
> 
> 
> Charles Lacroix wrote:
>>
>> Not sure if this can help you, but on my single machine email system i 
>> have MailScanner installed and postfix to
>> listen on smtps (465) with sasl authentication. That way when an 
>> employee is outside of the college, he is forced to
>> enter his email password before the mail is sent. This prevents the 
>> "open relay".
>>
>> I also have a webmail installed in case someone wants to use it.
>>
>>
>> Steve Campbell wrote:
>>> I'm considering using TLS on our mail server. It's mostly for our 
>>> roaming users, and unfortunately, our people in charge are suggesting 
>>> we use our main gateway/mail store box instead of setting up a 
>>> separate box for "submission".
>>>
>>> How many of you use TLS for your general incoming mail server? The 
>>> main problem I see is that most people might shy away from the 
>>> initial acceptance of the certificate, and I don't think I've ever 
>>> seen someone else asking me to accept theirs.
>>>
>>> Am I missing something here?
>>>
>>> Steve Campbell
>>>
>>
> Thanks Charles,
> 
> I'm going to start using saslauthd on port 587. Our roaming users can 
> use this and will have to be authenticated. No problem there.
> 
> People who send mail now are not required to do this on port 25, and we 
> accept mail freely on that port. Got a lot of stuff set up to avoid open 
> relaying also. But as I understand it, if I install my certificate and 
> use TLS, I can't use it on just one port (587) and everyone that sends 
> mail will be asked to accept our certificate, regardless of which port 
> they are sending to. This seems like a lot of useless fuss for people 
> who are just sending mail to our users. The roamers will be able to 
> relay through this server.
> 
> Our users (sales staff, wouldn't you know) don't really want to use our 
> webmail system out in the field. I kinda don't blame them as it's a 
> little clunky. So this is just a way for them to send mail through our 
> system and still have the benefits of MailScanner, etc.
> 
> As I think I understand this, TLS would just give us encryption as they 
> send in their authenication credentials.
> 
> steve
> 

Signed ssl certs are cheap these days.
Or you could have a separate sendmail listening on 587 (separate config 
file).

Ken

-- 
Ken Anderson
Pacific Internet - http://www.pacific.net


More information about the MailScanner mailing list