NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: postfix for 2 domains on 1 vps 1 ip
Jason Mitchell wrote:
> Bob Proulx wrote:
> > Then Thunderbird will *send* mail using again many possible protocols
> > but perhaps most typically using an authenticated SMTP to the
> > submission port 587 on the configured mail server. Postfix is my
> > preference. This outbound connection to the submission port will use
> > STARTTLS most typically and will require authentication credentials.
> > An account name and password.
>
> I'm referring to implicit SSL for SMTP -- port 465. I'm doing it with
> stunnel, but I assume later MTA's do this internally. However, it appears I
> was wrong, it wasn't the certificate being the problem, it was the TLS
> version.
Ah! The submissions port formerly known as the smtps port. TLS
encrypted SMTP. Gotcha! I don't support any Outlook only clients but
I have read articles saying that Outlook only supports outgoing mail
to TLS port 465. And we now have RFC 8314 too. January 2018 is
fairly recent as email goes. But it has made it into the standards
now.
Cleartext Considered Obsolete: Use of Transport Layer Security (TLS)
for Email Submission and Access
January 2018
https://tools.ietf.org/html/rfc8314
And because that is always a configured connection between known
client and the associated server then any policy made by the local
admin is the rule. Therefore if the local policy requires them to be
signed by a well known CA then that is certainly okay. I admit that I
don't know what the generally accepted practice is about this. If I
have time I will try to find out. There is too much for anyone to
know! :-)
For both sending outbound mail and for receiving inbound mail there
are many possible protocols. That's why I used so many weasel words
like "typical" and such. No way to cover all possibilities in a
single generalization. Have to walk each possible path individually.
> And mail.com is one site that requires the forward/reverse DNS lookups to
> match (regardless of SPF), in case anyone wanted an example.
Examples are perfect! :-)
"Few things are harder to put up with than the annoyance of a good
example." --Mark Twain
Just for a clarification let me note that it is okay for a mail site
to send mail to these types of sites for other domains for which they
handle mail. A multi-domain mail site is allowed to send mail for
other domains. That's fine. They just need to fully identify
themselves as the single exit node FQDN that they are using. Then the
forward reverse DNS lookup verification passes for the exit node.
That's used in the HELO/EHLO envelope header. That's all okay.
So for example it is okay for a mailing list for a domain like
users%lists.example.com@localhost be hosted on a machine server123.example.net
at a different hostname and FQDN. That's okay. The name set as the
reverse DNS lookup should match the FQDN of the hostname. As long as
that is true then everything should work okay.
Bob
Home |
Main Index |
Thread Index |
Old Index