OT - TLS question

Steve Campbell campbell at cnpapers.com
Thu Sep 24 19:37:39 IST 2009



Charles Lacroix wrote:
> Steve Campbell wrote:
>>
>>
>> Charles Lacroix wrote:
>>>
>>> Not sure if this can help you, but on my single machine email system 
>>> i have MailScanner installed and postfix to
>>> listen on smtps (465) with sasl authentication. That way when an 
>>> employee is outside of the college, he is forced to
>>> enter his email password before the mail is sent. This prevents the 
>>> "open relay".
>>>
>>> I also have a webmail installed in case someone wants to use it.
>>>
>>>
>>> Steve Campbell wrote:
>>>> I'm considering using TLS on our mail server. It's mostly for our 
>>>> roaming users, and unfortunately, our people in charge are 
>>>> suggesting we use our main gateway/mail store box instead of 
>>>> setting up a separate box for "submission".
>>>>
>>>> How many of you use TLS for your general incoming mail server? The 
>>>> main problem I see is that most people might shy away from the 
>>>> initial acceptance of the certificate, and I don't think I've ever 
>>>> seen someone else asking me to accept theirs.
>>>>
>>>> Am I missing something here?
>>>>
>>>> Steve Campbell
>>>>
>>>
>> Thanks Charles,
>>
>> I'm going to start using saslauthd on port 587. Our roaming users can 
>> use this and will have to be authenticated. No problem there.
>>
>> People who send mail now are not required to do this on port 25, and 
>> we accept mail freely on that port. Got a lot of stuff set up to 
>> avoid open relaying also. But as I understand it, if I install my 
>> certificate and use TLS, I can't use it on just one port (587) and 
>> everyone that sends mail will be asked to accept our certificate, 
>> regardless of which port they are sending to. This seems like a lot 
>> of useless fuss for people who are just sending mail to our users. 
>> The roamers will be able to relay through this server.
>>
>> Our users (sales staff, wouldn't you know) don't really want to use 
>> our webmail system out in the field. I kinda don't blame them as it's 
>> a little clunky. So this is just a way for them to send mail through 
>> our system and still have the benefits of MailScanner, etc.
>>
>> As I think I understand this, TLS would just give us encryption as 
>> they send in their authenication credentials.
>>
>> steve
>>
> The ssl/tls layer is there to make sure passwords aren't passed in 
> clear. But ... if you let your users pop/imap in clear, why not add 
> smtp on 587 with sasl too
> and skip the TLS and self-signed certificate and the zillion of 
> questions.
>
> It all depends on your paranoia level :)
>
> Later
> Charles
>
>
That was sort of my original question - should I use TLS at all?

The only harm is that they'll be on someone else's network broadcasting 
their passwords. I think most sites set up a server just for this 
"roaming" network traffic and use TLS as a SmartHost type setup. Our 
manager decided we didn't need that extra hardware. It'd only matter to 
people who had their clients set up to use TLS anyway. I know 
Thunderbird defaults to "use it if they offer it", but not sure how most 
other clients do it.

Anyway, thanks for the input.

steve
>
>
>



More information about the MailScanner mailing list