OT - TLS question

Steve Campbell campbell at cnpapers.com
Thu Sep 24 19:37:39 IST 2009

Charles Lacroix wrote:
> Steve Campbell wrote:
>> Charles Lacroix wrote:
>>> Not sure if this can help you, but on my single machine email system 
>>> i have MailScanner installed and postfix to
>>> listen on smtps (465) with sasl authentication. That way when an 
>>> employee is outside of the college, he is forced to
>>> enter his email password before the mail is sent. This prevents the 
>>> "open relay".
>>> I also have a webmail installed in case someone wants to use it.
>>> Steve Campbell wrote:
>>>> I'm considering using TLS on our mail server. It's mostly for our 
>>>> roaming users, and unfortunately, our people in charge are 
>>>> suggesting we use our main gateway/mail store box instead of 
>>>> setting up a separate box for "submission".
>>>> How many of you use TLS for your general incoming mail server? The 
>>>> main problem I see is that most people might shy away from the 
>>>> initial acceptance of the certificate, and I don't think I've ever 
>>>> seen someone else asking me to accept theirs.
>>>> Am I missing something here?
>>>> Steve Campbell
>> Thanks Charles,
>> I'm going to start using saslauthd on port 587. Our roaming users can 
>> use this and will have to be authenticated. No problem there.
>> People who send mail now are not required to do this on port 25, and 
>> we accept mail freely on that port. Got a lot of stuff set up to 
>> avoid open relaying also. But as I understand it, if I install my 
>> certificate and use TLS, I can't use it on just one port (587) and 
>> everyone that sends mail will be asked to accept our certificate, 
>> regardless of which port they are sending to. This seems like a lot 
>> of useless fuss for people who are just sending mail to our users. 
>> The roamers will be able to relay through this server.
>> Our users (sales staff, wouldn't you know) don't really want to use 
>> our webmail system out in the field. I kinda don't blame them as it's 
>> a little clunky. So this is just a way for them to send mail through 
>> our system and still have the benefits of MailScanner, etc.
>> As I think I understand this, TLS would just give us encryption as 
>> they send in their authenication credentials.
>> steve
> The ssl/tls layer is there to make sure passwords aren't passed in 
> clear. But ... if you let your users pop/imap in clear, why not add 
> smtp on 587 with sasl too
> and skip the TLS and self-signed certificate and the zillion of 
> questions.
> It all depends on your paranoia level :)
> Later
> Charles
That was sort of my original question - should I use TLS at all?

The only harm is that they'll be on someone else's network broadcasting 
their passwords. I think most sites set up a server just for this 
"roaming" network traffic and use TLS as a SmartHost type setup. Our 
manager decided we didn't need that extra hardware. It'd only matter to 
people who had their clients set up to use TLS anyway. I know 
Thunderbird defaults to "use it if they offer it", but not sure how most 
other clients do it.

Anyway, thanks for the input.


More information about the MailScanner mailing list