Hello,
I was reading some posts here but I am still confused.
I’m not strog on this issues.
I have a dedicated server (Fedora8) with a few virtual hosts.
I need to secure Postfix-SMTP, Enable TLS encryption to prevent spam sendings from eventual hijackers.
The only certificate I have installed is one created by me with Webmin module to access cp via https.
I need some basic data on how to start on this, which kind of certificate I need, if it would be enough the free one from startssl.com
Thanks a lot in advance.
PS: from startssl.com I have ssl.key(decripted) ssl.crt and ssl.csr<br><br>Post edited by: marciano, at: 2009/05/24 04:53
Hello Eric, thanks for your reply.
At the same time you were posting it I was editing my first one.
Would it be better to use those files from startssl.com than those already installed?
Thank you
I’m not really familiar with startssl certificates. If it’s free, then no, there wouldn’t really be an advantage to that over what’s already available in Postfix.
-Eric
Actually, it looks like they are accepted by browsers. I assume they are chained certificates, similar to the ones GoDaddy and others sell for ten to twenty bucks per year. I dunno. Research would be needed. But they look like actual certificates with real browser support.
As I understand this is a secure way to send mail from client. Isn’t it?
Actually I want to prevent any stranger script to send bulk mail using mail() from a php script or something similar.
Anyway, after performing those changes in master.cf and conf.apf (restarted both)
I’ve set my client SMTP server (Thunderbird mail) to SSL and port 465. Then I get: The server is refusing SMTP connections
Returning to ‘TLS if available’ sendings go well.
Thank you both Joe and Eric
Yes, Postfix has been restarted. From the maillog I also got this: daemon started – version 2.5.5, configuration /etc/postfix
May 26 17:16:55 postfix/qmgr[15645]: warning: bounce_queue_lifetime is larger than maximal_queue_lifetime - adjusting bounce_queue_lifetime
There’s a problem here.
From local
% telnet localhost 465
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
Connection closed by foreign host.
From outside is the same changing localhost by domain.com
Thank you
warning: No server certs available. TLS won’t be enabled
May 27 16:02:58 postfix/smtpd[4117]: connect from unknown[]
May 27 19:02:58 postfix/smtpd[4117]: warning: Wrapper-mode request dropped from unknown[] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.
May 27 19:02:58 postfix/smtpd[4117]: disconnect from unknown[***]
You were right, it was not running.
Anyway still errors sending mails in SSL (465)
May 27 22:50:35 postfix/smtpd[686]: warning: No server certs available. TLS won’t be enabled
May 27 22:50:35 postfix/smtpd[686]: connect from unknown[]
May 28 01:50:35 postfix/smtpd[686]: warning: Wrapper-mode request dropped from unknown[] for service smtps. TLS context initialization failed. For details see earlier warnings in your logs.
I am looking both received test mail headers sent with and w/o ssl
The noticeable thing was that mail sent with cert does not content spamassassin filtering headers like the other sent without cert. X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on cl-t102-130cl.privatedns.com
X-Spam-Level:
X-Spam-Status: No, score=-104.3 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00,
HTML_MESSAGE,MIME_HTML_MOSTLY,USER_IN_WHITELIST autolearn=ham version=3.2.5
And back to my first post.
Is it possible to force every user to send mail using ssl?
Does it worth to prevent massive spam sending from a strange script (php, cgi or other)?
Or there’s another way to prevent this devil?
Thanks again.