|
Replies
:
16
-
Pages
:
2
[
1
2
|
Next
]
-
Last Post
:
May 21, 2008 9:18 AM
by: BM5k
|
|
|
Posts:
167
From:
Red Sox Nation
Registered:
Jul 20, 2004
|
|
|
|
SMTP SSL
Posted:
Mar 8, 2008 3:00 PM
|
|
|
http://img112.imageshack.us/img112/4636/picture1za4.png
So I set up a self-signed SSL certificate for my IMAP email and it went pretty painless. Every time a launch mail.app I have to tell it to trust the cert, but otherwise it runs fine. And Eavesdrop confirms that things are very much encrypted now. I set it to Require SSL in IMAP, since I'm the only end user on this server.
Now I need to set up SSL on SMTP and I'm not sure what to use. As I understand it, SMTP uses SSL for SMTP-to-SMTP connections if it's available. My cert is self signed, so that probably isn't going to work? Is the mail server smart enough to know that if I choose 'Require', that I mean only for mail sent from my client to the SMTP server, and not incoming mail from other SMTP servers to my server?
The main thing I want out of this is to protect my login credentials when I'm connecting to my own mail server from my computers, especially my laptop when I could be sharing a wireless network with anyone.
Mac Pro 2.66 / 2GB / 640GB & MacBook 1.83 / 2GB / 160GB
Mac OS X (10.5.2)
|
|
Posts:
9,714
From:
San Jose, CA
Registered:
Mar 13, 2002
|
|
|
|
Re: SMTP SSL
Posted:
Mar 9, 2008 1:21 AM
in response to: l008com
|
|
|
AFAIK, setting SMTP to require SSL is going to block most of your incoming mail because most other mail servers don't run SSL.
The issue is that the SSL handshake happens before the server knows that it's you (a local user) that's connecting vs. some other mail server sending a message to your domain.
In my opinion, the far, far easier solution to all of this is to implement a VPN.
Connect once to the VPN and all your traffic to the server, whether IMAP, SMTP, HTTP, even AFP will automatically be encrypted, without the need for certificates, and without warnings about 'self-signed' certificates.
Mac OS X (10.5.2)
|
|
Posts:
167
From:
Red Sox Nation
Registered:
Jul 20, 2004
|
|
|
|
Re: SMTP SSL
Posted:
Mar 9, 2008 1:26 AM
in response to: Camelot
|
|
|
I actually DO have a VPN setup. And I use it for lots of things, but its way too much of a pain to use it for email. Especially on my laptop. I'll just set it to 'use' and set all of my clients to use SSL.
Mac Pro 2.66 / 2GB / 640GB & MacBook 1.83 / 2GB / 160GB
Mac OS X (10.5.2)
|
|
Posts:
167
From:
Red Sox Nation
Registered:
Jul 20, 2004
|
|
|
|
Re: SMTP SSL
Posted:
Mar 9, 2008 3:39 AM
in response to: l008com
|
|
|
OH the other angle. Will setting it to USE mess up incoming mail? If an incoming SMTP server connection supports SSL, will the fact that I'm self-signed cause the incoming connection to cancel? How would that work?
Mac Pro 2.66 / 2GB / 640GB & MacBook 1.83 / 2GB / 160GB
Mac OS X (10.5.2)
|
|
Posts:
149
From:
Estonia
Registered:
Dec 28, 2007
|
|
|
|
Re: SMTP SSL
Posted:
Mar 9, 2008 5:20 AM
in response to: l008com
|
|
|
The best choice would be to make it "Use". SMTP/SSL is useful because:
- all SMTP/SSL connections are authenticated, therefore relaying is permitted from anywhere once the connection is authenticated.
- most ISPs like to force you to use their mailserver to send mail (this is actually to be able to filter out spam) so they will block you from contacting any other e-mail server outside their network unless you have a VPN connection to it. Usually SMTP/SSL is NOT blocked so you can get through without VPN.
XServe
Mac OS X (10.4.11)
|
|
Posts:
1,720
Registered:
Oct 10, 2000
|
|
|
|
Re: SMTP SSL
Posted:
Mar 9, 2008 5:59 AM
in response to: andrussuitsu
|
|
|
It should be fine to "use" SSL, but not "require" as explained above.
With the setting at "use", clients can use SSL but it will not break standard smtp connections from other servers to yours.
Please note however: I'm not saying this is the case for the OP (don't his/her type of connection/account), but keep in mind that many - increasingly, most - ISPs will (in fact, do) block incoming "services" if you have a home-type account. IE: not a commercial account which typically costs more. This is distinct from return traffic for your own outgoing requests (eg: typical home-user email and web browsing).
They probably do have a very clear clause in your contract stipulating this, and in fact that if you violate it they can terminate your account/connection.
Something to keep in mind.
|
|
Posts:
1,720
Registered:
Oct 10, 2000
|
|
|
|
Re: SMTP SSL
Posted:
Mar 9, 2008 6:09 AM
in response to: davidh
|
|
|
Oh, and "l008com" - you can import your custom cert on the clients, and the cert will be trusted - ie: no more warning/nag dialog in Mail.
Bring the .crt file over to clients, double click it and choose to import to X509Anchors
or (on the client, via the Terminal):
sudo certtool i your.crt v k=/System/Library/Keychains/x509Anchors
where "your.crt" is your actual .crt file. Probably want to backup x509Anchors first.
There are one or two articles about working with self-signed SSL certs at afp548.com
|
|
Posts:
828
From:
somerville, ma
Registered:
Jan 11, 2006
|
|
|
|
Re: SMTP SSL
Posted:
Mar 9, 2008 8:42 AM
in response to: davidh
|
|
|
in mail.app, you can also view details when the cert warning pops up and choose to "always trust" the certificate. i believe this does the same thing as adding it to x509anchors.
macbook pro 2.16 ghz, powerbook G4 1ghz, G4 400 mhz, poweredge and some junkers
Mac OS X (10.5.2)
|
|
Posts:
167
From:
Red Sox Nation
Registered:
Jul 20, 2004
|
|
|
|
Re: SMTP SSL
Posted:
Mar 9, 2008 2:37 PM
in response to: foilpan
|
|
|
Thats what I do, but it only lasts until I quit mail, then I have to do it all over again.
Mac Pro 2.66 / 2GB / 640GB & MacBook 1.83 / 2GB / 160GB
Mac OS X (10.5.2)
|
|
Posts:
167
From:
Red Sox Nation
Registered:
Jul 20, 2004
|
|
|
|
Re: SMTP SSL
Posted:
Mar 29, 2008 9:54 PM
in response to: l008com
|
|
|
I have more related questions. About ports.
If I set SSL on SMTP to "use" does this open up SMTP on another port? Does it still leave SMTP open for "receiving"?
If not, is there an easy way to make my server accept email on one of those high unblocked ports, but still accept incoming mail on port 25, for mail destined for my server?
Mac Pro 2.66 / 2GB / 640GB & MacBook 1.83 / 2GB / 160GB
Mac OS X (10.5.2)
|
|
Posts:
5,573
From:
Switzerland
Registered:
May 19, 2005
|
|
|
|
Re: SMTP SSL
Posted:
Mar 30, 2008 7:46 AM
in response to: l008com
|
|
|
Unless you add any ports to master.cf, no additional ports are added.
As to how to add an extra port, see this:
http://mac007.com/?Tips:Alternate_SMTP_Ports
(or use the board's search function).
Mac OS X (10.5.2)
|
|
Posts:
167
From:
Red Sox Nation
Registered:
Jul 20, 2004
|
|
|
|
Re: SMTP SSL
Posted:
Mar 30, 2008 3:07 PM
in response to: pterobyte
|
|
|
I tried that link and it did not work. So then I looked around that postfix config file and decided to uncomment these two lines:
submission inet n - n - - smtpd
- -o smtpd_enforce_tls=yes
-o smtpd_sasl_auth_enable=yes
- -o smtpd_client_restrictions=permit_sasl_authenticated,reject
I can now send via 587, which is great. BUT I can't use SSL. Is there something else I need to do to enable ssl, or is it not working because my cert is self-signed?
Mac Pro 2.66 / 2GB / 640GB & MacBook 1.83 / 2GB / 160GB
Mac OS X (10.5.2)
|
|
Posts:
167
From:
Red Sox Nation
Registered:
Jul 20, 2004
|
|
|
|
Re: SMTP SSL
Posted:
Mar 30, 2008 4:50 PM
in response to: l008com
|
|
|
ok in my previous posting, the numbers "1." are actually comments. Apparently this forum turns the pound sign into actual numbers. But the lines that start with one are lines i left commented out. And the lines without are lines i uncommented.
Mac Pro 2.66 / 2GB / 640GB & MacBook 1.83 / 2GB / 160GB
Mac OS X (10.5.2)
|
|
Posts:
5,573
From:
Switzerland
Registered:
May 19, 2005
|
|
|
|
Re: SMTP SSL
Posted:
Mar 31, 2008 1:00 AM
in response to: l008com
|
|
|
The instruction in the link work just fine.
That said, since the overriding instructions for port 587 are commented out, you simply enabled port 587 (which is fine), but are using all settings as set in main.cf for port 25. If SSL is set to use in main.cf it should work on port 587 as well.
Mac OS X (10.5.2)
|
|
Posts:
167
From:
Red Sox Nation
Registered:
Jul 20, 2004
|
|
|
|
Re: SMTP SSL
Posted:
Mar 31, 2008 2:34 AM
in response to: pterobyte
|
|
|
Well like i said, I added the lines in the link you gave and I could not send mail. I deleted it and uncommented the existing 'submission' line and I can. In server admin I have SSL set to "use". I set this up on a customers server today too and they CAN send via SSL. The only difference between the setups is that their certificate is signed, mine is self-signed.
Mac Pro 2.66 / 2GB / 640GB & MacBook 1.83 / 2GB / 160GB
Mac OS X (10.5.2)
|
|
|
