From: Michael Orlitzky <michael@orlitzky.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] clamav and spamassassin
Date: Tue, 06 Dec 2011 17:20:28 -0500 [thread overview]
Message-ID: <4EDE952C.4080202@orlitzky.com> (raw)
In-Reply-To: <CAN0CFw0M2Jg7Z3=uBBvemZ+XS2TG+G5A_Q1nDeFM1_7741hbnA@mail.gmail.com>
On 12/06/2011 04:34 PM, Grant wrote:
>
> Do you know how smtps comes into play? Right now I've got the
> following uncommented in master.cf:
>
> smtp inet n - n - - smtpd
> smtps inet n - n - - smtpd
> -o smtpd_tls_wrappermode=yes
>
> Should I write an smtpsd line or does tlsproxy make that unnecessary?
SMTPS is deprecated. You probably don't need it at all, unless you do.
Some older (Microsoft...) clients can't use anything else for encryption.
These days, the "proper" way to secure your users' connections is with
TLS on the submission port, 587. You should also have a commented-out
'submission' line in your master.cf; that's what it's for.
The idea is that you can force encryption on port 587, and have your
users connect there instead of port 25. Then, the only restriction you
need for those connections is that the username/password be correct. The
rest of the mail comes in on port 25, unencrypted, as usual, and is
subjected to your anti-spam checks.
If you're using either SMTPS or the submission service, you don't need
to change them. Your users will continue to connect to port 465 (smtps)
or 587 (submission), bypassing postscreen entirely.
If you're not using the submission service, i.e. both external and
user-submitted mail come in on port 25, then you'll probably want to
exempt your users from the postscreen restrictions:
http://www.postfix.org/postconf.5.html#postscreen_access_list
but you should really be using the submission port!
next prev parent reply other threads:[~2011-12-06 22:22 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-03 19:52 [gentoo-user] clamav and spamassassin Grant
2011-12-03 22:54 ` Michael Orlitzky
2011-12-04 0:59 ` Grant
2011-12-04 1:35 ` Michael Orlitzky
2011-12-04 1:57 ` Grant
2011-12-04 2:10 ` Michael Orlitzky
2011-12-04 1:59 ` Pandu Poluan
2011-12-04 2:17 ` Michael Orlitzky
2011-12-04 2:48 ` Pandu Poluan
2011-12-04 3:06 ` Michael Orlitzky
2011-12-04 8:27 ` Pandu Poluan
2011-12-06 0:15 ` Grant
2011-12-06 0:45 ` Pandu Poluan
2011-12-06 0:52 ` Michael Orlitzky
2011-12-06 1:01 ` Pandu Poluan
2011-12-06 1:14 ` Michael Orlitzky
2011-12-06 3:24 ` Grant
2011-12-06 4:43 ` Michael Orlitzky
2011-12-06 16:32 ` Grant
2011-12-06 17:11 ` Michael Orlitzky
2011-12-06 19:17 ` Paul Hartman
2011-12-07 0:16 ` Pandu Poluan
2011-12-06 21:34 ` Grant
2011-12-06 22:20 ` Michael Orlitzky [this message]
2011-12-07 1:02 ` Grant
2011-12-07 16:38 ` Michael Orlitzky
2011-12-07 18:16 ` Grant
2011-12-07 18:56 ` Michael Orlitzky
2011-12-07 19:00 ` Michael Orlitzky
2011-12-08 0:49 ` Grant
2011-12-07 9:15 ` Pandu Poluan
2011-12-07 16:01 ` Grant
2011-12-07 16:47 ` Pandu Poluan
2011-12-07 0:57 ` Grant
2011-12-07 1:11 ` Pandu Poluan
2011-12-07 16:34 ` Michael Orlitzky
2011-12-07 18:08 ` Grant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EDE952C.4080202@orlitzky.com \
--to=michael@orlitzky.com \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox