[Kolab-devel] Add additional tls settings for postfix client side
Martin Konold
martin.konold at erfrakon.de
Mon Feb 13 03:06:23 CET 2006
Am Donnerstag, 9. Februar 2006 22:58 schrieb Richard Bos:
Hi Richard,
> smtp_use_tls = yes
> Otherwise you will be able to receive with a TLS encrypted connection but
> send without encryption.
> Should the additional tls settings for postfix client side be added to the
> main.cf template file?
I don't get your point.
We use TLS not to protect the contents of the mails but in order to protect
the credentials used for authentification of the clients with the smtpd
server.
"smtp_use_tls = yes" protects the connection to another smtp server. Typically
this is some server on the internet. If you require authentification the
"smtp_use_tls = yes" makes sense but beware that
firstly enabling authentification for external relay hosts needs manual
configuration anyway with the current Kolab and
secondly enabling "smtp_use_tls = yes" needs proper testing with all hosts in
question because some SMTP servers offer STARTTLS even if it is not
configured.
Last but not least "smtp_use_tls = yes" is only opportunistic and means use
TLS is it is offered by the other host but fall back to non TLS otherwise.
(False feeling of security)
IMHO emails are better protected using per mail encryption like gpg and in the
case of only internal server under your control use some VPN technology like
IPSec or OpenVPN.
At erfrakon we simply use ssh port forwarding between our Kolab hosts.
Yours,
-- martin
--
http://www.erfrakon.com/
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
More information about the devel
mailing list