Enable SMTP SSL/TLS (Centos 5.9 - Postfix

marciano · 04-30-2013, 11:41 AM

Hello,

I followed instructions from http://wiki.centos.org/HowTos/postfix_sasl to setup a secure mail server.
The last line talks about configuring email clients, Thunderbird in server settings "select SSL".
This is SSL/TLS, it works okay for incoming mail, port 995.
But it doesn't for SMTP.
STARTTLS on port 587 works fine but SSL/TLS on port 465 does not: "connection timeout" when trying to send an email.
I would like to know how what I am missing to send SSL/TLS mail.

Some data in reference to the steps in http://wiki.centos.org/HowTos/postfix_sasl
Slight difference in my main.conf:
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, check_policy_service unix:/var/spool/postfix/postgrey/socket

Telnet on port 25 also contains AUTH PLAIN (after ssl implementation)(wiki says it shouldn't be):
250-PIPELINING
250-SIZE 50480000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH PLAIN LOGIN
250-AUTH=PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

#One line from maillog:
dovecot: pop3-login: Login: user=<bob>, method=PLAIN, rip=::ffff:x.x.17.166, lip=::ffff:y.y.y.54, TLS
#Another line from maillog
dovecot: imap-login: Login: user=<bob>, method=PLAIN, rip=::ffff:127.0.0.1, lip=::ffff:127.0.0.1, secured
##This is from squirrelmail
#Another line from maillog
postfix/smtpd[8948]: TLS connection established from ......: SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)
##Sending mail with STARTTLS

master.conf
smtp inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
465 inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes
587 inet n - n - - smtpd -o smtpd_sasl_auth_enable=yes

Thank you

siremaxus · 05-03-2013, 12:33 PM

Hi,

Have you checked this option?

http://www.faqforge.com/linux/how-to...ix-mailserver/

Regards,

Sire Maxus

marciano · 05-03-2013, 03:19 PM

Hello Sire Maxus, thanks for your reply.

Well, forget 465
"Even in 2013, there are still services that continue to offer the deprecated SMTPS interface on port 465 in addition to (or instead of!) the RFC-compliant message submission interface on the port 587 defined by RFC 6409.[6] Service providers that maintain port 465 do so because [7] older Microsoft applications (including Entourage v10.0) do not support STARTTLS, [8] and thus not the smtp-submission standard (ESMTPS on port 587). The only way for service providers to offer those clients an encrypted connection is to maintain port 465."

Thanks again,
M