On 04/26/2011 06:44 AM, Sandy Drobic wrote:
On 26.04.2011 10:35, Mihira Fernando wrote:
On 04/26/2011 01:57 PM, Sandy Drobic wrote:
Your assumption was that encryption is mandantional and thus responsible for rejecting mails that should be accepted. This is where you went off track, or where my sentence was not clear enough (most likely its the latter).
What I wrote :
Running SSL or TLS only on port 25 is likely to cause your server to loose mail
What I meant : Enforcing SSL or TLS on port 25 so that encryption is made to be the mandatory default is likely to cause the server to loose mail. Yes, that is what I thought. I was irritated by the phrase "cause the server to loose mail". You can't loose mail that you haven't accepted. (^-^)
It is more like a self-inflicted denial-of-service. ;-)
Sandy
OK, thanks everyone for the good info and help. I've made some progress
and have my certs set so that I can send out email, and the certs are
recognized as being signed. Finally. The only error on sending as of now
is that the cert is not for this site. This is understandable as I'm
using "localhost" instead of my domain right now. This should resolve
itself once I take this server online and use my domain name on it.
(What I had to do was to cat my signed cert with the StartSSL
intermediate CA and their CA into one file. I read that section of the
postfix.org config page about 14 times before that sunk in. I stopped to
set up Apache2 and had a few problems getting the certs right there too,
but that got me going to work on combining the cert and CAs).
Still having problems receiving, or rather reading received mails via
imaps. And this is getting pretty weird. Thunderbird does not like
setting imap security to SSL/TLS (port 9930, and still gives the error
that ssl rx record is too long. Setting it to STARTTLS is worse (on port
143), all sorts of errors fly up saying that the server is not available
or has disconnected.
Here's the weird part. Kmail seems to work just fine. Using the feature
in setting up an email account to check what the server provides for
security, it offers None and Use TLS (over port 143) and defaults to Use
TLS. Works fine and does not mention any problem with my certs (now that
I have them combined into one cert file). What also seems weird to me is
that Kmail does not show that SSL is being offered by my mail server. I
do not understand that. But if its happy with TLS I can work with that.
But I prefer to have Thunderbird working properly also as most clients
are non-linux and TBird is multi platform.
I’m starting to think TBird does not like my 256 bit cert, although I
find that hard to believe. Firefox seems happy with this same 256 bit
cert on Apache2. Do I need a 128 bit cert for TBird?
I'm not familiar with TBird logs, but trying to access imaps email with
TBrid, /var/log/mail shows:
Apr 28 19:34:30 jimmee postfix/smtpd[6823]: connect from localhost[::1]
Apr 28 19:34:30 jimmee postfix/smtpd[6823]: setting up TLS connection
from localhost[::1]
Apr 28 19:34:30 jimmee postfix/smtpd[6823]: Anonymous TLS connection
established from localhost[::1]: TLSv1 with cipher DHE-RSA-AES256-SHA
(256/256 bits)
Apr 28 19:35:00 jimmee postfix/smtpd[6823]: warning: Illegal address
syntax from localhost[::1] in RCPT command: