0

I've been trying to setup Postfix on our Debian server and as I understand it, all messages get send via Telnet on port 25.

I've followed these instructions exactly:

http://wiki.debian.org/Postfix

http://wiki.debian.org/PostfixAndSASL

However I get to the part "Alternate TLS/SSL Ports" and it doesn't really make sense after that. I would like to send emails over SSL (on port 465 I believe) unless there is an alternative option for sending encrypted mail or any reason I don't need too?

EddyR
  • 171
  • 6

1 Answers1

2

First of all, you don't send mail over telnet, but via SMTP. You can use the telnet program to talk to your mailserver for testing purposes.

Then you have to understand that SSL encryption is basically "only" used to protect your password when authenticating with an SMTP server to avoid sending it in plain text. Mails send from your server to any other are still going out in plain text.

The alternate port for SSMTP in this context has the purpose to tell the server upon connection you want to talk to it encrypted. This can be useful with older mail clients which don't know about the STARTTLS method. If you have newer clients capable of this, you can use port 25, start the connection unencrypted and then switch to encrypted transmission before sending your password with the STARTTLS command.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • Postfix can relay SSL encrypted if the receiving host supports it, most do not however. Another benefit of TLS-enabling your MTA is that the outgoing mail from your client can be encrypted, if for example you are using public wifi. – jamespo Mar 03 '11 at 11:02
  • 1
    So whats the difference between SSL and TLS? The terms seem to be used interchangeably - even on wikipedia http://en.wikipedia.org/wiki/Transport_Layer_Security. – EddyR Mar 03 '11 at 12:08
  • More to the point - I completed instructions "Adding TLS". Does this mean all sent messages are already encrypted? – EddyR Mar 03 '11 at 12:11
  • Basically, TLS is a newer version of SSL. – Sven Mar 03 '11 at 12:12
  • 1
    No, not at all. You have enabled the server to use encryption, but that doesn't mean it gets used. First, relaying to other servers will most likely be unencrypted, nearly no one allows encryption for that, and since you will only have self-signed certificates, other servers couldn't talk TLS to you anyway. But you can configure your MTA (Thunderbird, Outlook etc.) to use use either SSMTP or STARTTLS now and they will use it to drop off the mail at your server. – Sven Mar 03 '11 at 12:16
  • Right okay, so you don't send emails with a self signed cert because no one would accept it anyway - just like a website. But if you have SSMTP enabled and they have SSMTP you can receive encrypted mail. (Sorry if I'm being a bit slow with this!) – EddyR Mar 03 '11 at 12:44
  • What I said in my last comment is correct then? It just seems really strange to think the vast majority of emails are sent in plain text. – EddyR Mar 04 '11 at 03:37