[Kolab-devel] Add additional tls settings for postfix client side

Martin Konold martin.konold at erfrakon.de
Mon Feb 13 03:06:23 CET 2006

Am Donnerstag, 9. Februar 2006 22:58 schrieb Richard Bos:

Hi Richard,

> smtp_use_tls = yes

> Otherwise you will be able to receive with a TLS encrypted connection but
> send without encryption.

> Should the additional tls settings for postfix client side be added to the
> main.cf template file?

I don't get your point. 

We use TLS not to protect the contents of the mails but in order to protect 
the credentials used for authentification of the clients with the smtpd 

"smtp_use_tls = yes" protects the connection to another smtp server. Typically 
this is some server on the internet. If you require authentification the 
"smtp_use_tls = yes" makes sense but beware that

firstly enabling authentification for external relay hosts needs manual 
configuration anyway with the current Kolab and

secondly enabling "smtp_use_tls = yes" needs proper testing with all hosts in 
question because some SMTP servers offer STARTTLS even if it is not 

Last but not least "smtp_use_tls = yes" is only opportunistic and means use 
TLS is it is offered by the other host but fall back to non TLS otherwise. 
(False feeling of security)

IMHO emails are better protected using per mail encryption like gpg and in the 
case of only internal server under your control use some VPN technology like 
IPSec or OpenVPN. 

At erfrakon we simply use ssh port forwarding between our Kolab hosts.

-- martin

Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker

More information about the devel mailing list