OT - TLS question
campbell at cnpapers.com
Tue Sep 29 18:12:34 IST 2009
Gary Pentland wrote:
> Thats all configurable (what isn't in sendmail)...
> Something like this should do it but read the cf documentation and use google! You may need other options so test this carefully with your setup
> DAEMON_OPTIONS(`Name=tls,Port=587, Modifiers=s')
> Hope that helps you find out what you need to do
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Steve Campbell
> Sent: 29 September 2009 14:54
> To: MailScanner discussion
> Subject: Re: OT - TLS question
> I was under the impression that once I added support for TLS, then it
> was server-wide, and that most clients were set up as "use TLS if
> available". It's not going to be a problem for our users, but all those
> in the wild that send mail and get the pop-up might not know what it's for.
> I use sendmail, so is there a way to have the server only use it on a
> particular port and not another? I only want it on port 587, not port 25.
> Thanks for the reply
> Mog wrote:
>> Jason Ede wrote:
>>>> That was sort of my original question - should I use TLS at all?
>>>> The only harm is that they'll be on someone else's network broadcasting
>>>> their passwords. I think most sites set up a server just for this
>>>> "roaming" network traffic and use TLS as a SmartHost type setup. Our
>>>> manager decided we didn't need that extra hardware. It'd only matter to
>>>> people who had their clients set up to use TLS anyway. I know
>>>> Thunderbird defaults to "use it if they offer it", but not sure how
>>>> other clients do it.
>>>> Anyway, thanks for the input.
>>> We moved to TLS as a requirement for all our outgoing email a year or
>>> so back using a proper SSL (didn't cost much at all) mainly to stop
>>> passwords being broadcast in the clear and to try and reduce the
>>> chance of a compromise. It hasn't caused many problems as we didn't
>>> enforce TLS for a while and gave our clients plenty of notification
>>> of moving to requiring TLS and then chased up those that didn't make
>>> the switch before enforcing the requirement. We have the luxury of
>>> having all our outgoing email going through different servers from
>>> our inbound email which makes life much easier.
>> Personally I think yes, you should definitely provide support for TLS
>> (we do on all our servers). I could be wrong, but I think that once
>> activated it encrypts the remainder of the SMTP session, so both the
>> user's credentials and the content of their mail is encrypted.
>> Naturally not everyone will be using TLS when sending you email on
>> port 25, so you probably don't want to be enforcing the use of TLS,
>> but definitely make it available.
>> It's just the same as providing IMAPS and IMAP to cater for people who
>> do and do not use SSL for their IMAP connections.
It seems that I hadn't used the FEATURE(`no_default_msa'). I was able to
get both port 25 and port 587 working like I needed it to work. The only
problem I ran into was when I used the Modifirers=s (M=s), I couldn't
send at all to that port in any MUA configuration. I'm using "Ea"
instead and that does both auth and tls for me. I don't understand it,
but it works as though 's' were set. Port 25 is clear of both auth and
tls and is blocked for relaying through other means.
Again, thanks for the heads-up
More information about the MailScanner