Re: TLS support on postfix

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On 02/07/2012 04:50 PM, Kumar Krishna wrote:
> Hi List,
>
> I have a postfix server based on CentOS 5 in which I have been trying to add TLS encryption support for SMTP.
>
> >From the localhost when I do an EHLO, following is the output
>
> [root@xxxxxxx ~]# nc localhost 25
> 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix
> EHLO localhost
> 250-xxxxxxx.xxxx.xxx.xx
> 250-PIPELINING
> 250-SIZE 41943040
> 250-VRFY
> 250-ETRN
> 250-STARTTLS
> 250-AUTH PLAIN LOGIN
> 250-AUTH=PLAIN LOGIN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250 DSN
>
> However from a remote location when I do the EHLO, the response does not contains STARTTLS, ENHANCEDSTATUSCODES and DSN
>
> krishna@L03:~$ nc xxxxxxx.xxxx.xxx.xx 25
> 220 xxxxxxx.xxxx.xxx.xx ESMTP Postfix
> EHLO localhost       
> 250-xxxxxxx.xxxx.xxx.xx
> 250-PIPELINING
> 250-SIZE 41943040
> 250-VRFY
> 250-ETRN
> 250-AUTH PLAIN LOGIN
> 250 8BITMIME
>
>
> I have done some googling and found this might be because of the Cisco Router's "ESMTP Fix". However Can someone here tell me if there are any settings in master.cf or main.cf that might result in similar behaviour?
>
> Regards,
> KRiSHNA
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> http://lists.centos.org/mailman/listinfo/centos

>From http://www.postfix.org/TLS_README.html

By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix is visible. Explicitly switch it on with "smtpd_tls_security_level = may".
/etc/postfix/main.cf:
    smtpd_tls_security_level = may

With this, the Postfix SMTP server announces STARTTLS support to remote SMTP clients, but does not require that clients use TLS encryption.



My tls configuration looks something like this:

# INCOMING TLS (smtpd server)
smtpd_tls_security_level = may
smtpd_note_starttls_offer = yes
smtpd_tls_key_file = /etc/postfix/certs/tls.key
smtpd_tls_cert_file = /etc/postfix/certs/tls.crt
smtpd_tls_CAfile = /etc/postfix/certs/CAcert.crt
smtpd_tls_CApath = /etc/postfix/certs
smtpd_tls_loglevel = 1

smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

# OUTGOING TLS (SMTP transport)
smtp_tls_loglevel = 1
smtp_tls_session_cache_database = btree:/var/run/smtp_tls_session_cache
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes


Nataraj

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux