Comments on: Securing your basic mailserver using TLS/SSL

By: Richard

Richard — Mon, 29 Mar 2010 04:44:06 +0000

@Richard M. You’d be better of commenting that line out completely. Please note that Security Updates have a reputation of putting that line back in.

By: Richard Mace

Richard Mace — Mon, 29 Mar 2010 00:55:10 +0000

update:

I figured it out, at the end of main.cf there was inet_interfaces = localhost. I changed that to all, and stopped the server (reload will not set the change into effect, you need to sudo postfix stop).

By: Richard Mace

Richard Mace — Mon, 29 Mar 2010 00:20:47 +0000

I am having a problem telneting into my server. If I telnet localhost 25, it will work, but I cannot telnet local.network.ip.address 25 from another computer. I get connection refused. I have the port forwarded from my router, but I can’t telnet from outside of my network either. Any ideas?

By: Markis

Markis — Sun, 15 Mar 2009 20:12:53 +0000

Hi Richard,

I have an IP address for each my domains that require it. I had to do this for Apache2 as well. So is it possible in Postfix? I found how it works in Courier.

The problem with a single hostname is I have a couple of clients that don’t want to infer affiliation with any outside organizations.

Thanks,
Mark

By: Richard

Richard — Sun, 15 Mar 2009 09:11:19 +0000

Markis, it is not possible to use multiple SSL certificates for more than one ip-address. If you don’t want the warnings there is no other solution then buying an expensive official certificate.

Another solution is to use one single hostname name for all mail services. So everybody needs to connect to mail.neuquest.com.

By: Markis

Markis — Sun, 15 Mar 2009 08:19:59 +0000

Hi Richard,

If I’m running multiple domains, is there a way to have to configure for separate SSL Certificates for each domain? I know I can just use one domain for the mail server, but on some clients it would be nice to hide that they are on a shared host. Also I know I could have it so the SSL Certificate isn’t signed and use one generic SSL, but the email clients complain about the mismatched SSL Certs. It would be nice if Postfix had a msyql file like mysql_virtual_domains_maps.cf for SSL Certificates, but I don’t know how that would work with the imapd-ssl configuration.

Thanks, Markis

By: Richard

Richard — Wed, 29 Aug 2007 05:41:27 +0000

Marc, no they don’t as you still might have clients and other mailservers that can’t use TLS. If you are enforcing TLS you won’t be able to receive mail from non TLS enabled clients or servers. TLS is only there to enforce clients using your server to send mail to others to logon securely. It is enforced if you logon to the server.

By: Marc

Marc — Tue, 28 Aug 2007 22:18:01 +0000

in the main.cf file for Postfix:
smtpd_enforce_tls = no

and in the imapd-ssl file it says:
IMAP_TLS_REQUIRED=0

are these settings really forcing the use of tls?

By: Dave

Dave — Tue, 10 Apr 2007 07:10:53 +0000

Hi,
it would be very nice if you could add the necessary information to get the certificate signed.
I am using a CaCert Certificate (which is free). Unfortunately I didn’t wrote down how i cooked everything together until it worked. Today I renewed my certificate and manually edited the pem files etc. and replaced my certificate. everything works, but i am not sure if I did it the correct way
So if you are adding information on using signed certificates, it would be cool if you could add information on certificate renewal, too. Best regards and keep up the good work!

b.t.w. why did you wipe the roundcubemail docs? they were very good!