masqmail

changeset 223:9814e75de61c
updated docs to STARTTLS wrappers
author: meillo@marmaro.de
date: Fri, 23 Jul 2010 11:18:20 +0200
parents: 8cddc65765bd
children: 996b53a50f55
files: docs/simple-relay-setup examples/openssl.route man/masqmail.route.5
diffstat: 3 files changed, 34 insertions(+), 15 deletions(-) [+]
[-]

docs/simple-relay-setup 8

examples/openssl.route 12

man/masqmail.route.5 29 docs/simple-relay-setup 8 examples/openssl.route 12 man/masqmail.route.5 29
docs/simple-relay-setup 8
examples/openssl.route 12
     1.1 --- a/docs/simple-relay-setup	Fri Jul 23 10:57:53 2010 +0200
     1.2 +++ b/docs/simple-relay-setup	Fri Jul 23 11:18:20 2010 +0200
     1.3 @@ -38,8 +38,12 @@
     1.4  
     1.5      # where to relay to; the address and port of the smart host
     1.6      mail_host = "mail.gmx.net:25"
     1.7 -    # use the wrapper to enable encryption
     1.8 -    #wrapper = "openssl s_client -quiet -connect mail.gmx.net:465 2>/dev/null"
     1.9 +    # use a wrapper to enable encryption
    1.10 +    # for STARTTLS on port 25:
    1.11 +    #instant_helo=true
    1.12 +    #wrapper="/usr/bin/openssl s_client -quiet -starttls smtp -connect mail.gmx.net:25 2>/dev/null"
    1.13 +    # for SMTP over SSL on port 465:
    1.14 +    #wrapper = "/usr/bin/openssl s_client -quiet -connect mail.gmx.net:465 2>/dev/null"
    1.15      
    1.16      do_correct_helo = true
    1.17      

     2.1 --- a/examples/openssl.route	Fri Jul 23 10:57:53 2010 +0200
     2.2 +++ b/examples/openssl.route	Fri Jul 23 11:18:20 2010 +0200
     2.3 @@ -6,9 +6,15 @@
     2.4  
     2.5  # encryption is done by communicating through openssl
     2.6  
     2.7 -wrapper="/usr/bin/openssl s_client -quiet -connect mail.gmx.net:465 2>/dev/null"
     2.8 -# you may want to tell openssl where the certificates are stored
     2.9 -#wrapper="/usr/bin/openssl s_client -quiet -CApath /etc/ssl -connect mail.gmx.net:465 2>/dev/null"
    2.10 +# Today usually STARTTLS (RFC-3207) is used:
    2.11 +# don't forget the instant_helo, otherwise it won't work, because the wrapper eats the 220 greeting
    2.12 +instant_helo=true
    2.13 +wrapper="/usr/bin/openssl s_client -quiet -starttls smtp -connect mail.gmx.net:25 2>/dev/null"
    2.14 +
    2.15 +# The old way is SMTP over SSL; the IETF had marked it obsolete:
    2.16 +# don't use instant_helo here
    2.17 +#wrapper="/usr/bin/openssl s_client -quiet -connect mail.gmx.net:465 2>/dev/null"
    2.18 +
    2.19  
    2.20  # which addresses are allowed through this route?
    2.21  allowed_return_paths = "*@gmx.de;*@gmx.net"

     3.1 --- a/man/masqmail.route.5	Fri Jul 23 10:57:53 2010 +0200
     3.2 +++ b/man/masqmail.route.5	Fri Jul 23 11:18:20 2010 +0200
     3.3 @@ -80,7 +80,7 @@
     3.4  after opening the connection.
     3.5  Instead it says EHLO right away (ESMTP is assumed).
     3.6  Use this option with wrappers that eat the 220 greeting of the SMTP server.
     3.7 -Common examples are STARTTLS wrappers, like `openssl -starttls smtp ...'.
     3.8 +Common examples are STARTTLS wrappers, like `openssl s_client -starttls smtp ...'.
     3.9  
    3.10  If this option is set and a 220 greeting is received though,
    3.11  everything should still work.
    3.12 @@ -188,8 +188,9 @@
    3.13  the local parts (the keys) are separated from the addresses (the values) by colons (`:').
    3.14  
    3.15  Example:
    3.16 -
    3.17 +.nf
    3.18  map_h_from_addresses = "john: John Smith <jsmith@mail.academic.edu>; charlie: Charlie Miller <cmiller@mx.commercial.com>"
    3.19 +.fi
    3.20  
    3.21  You can use patterns, eg. * as keys.
    3.22  
    3.23 @@ -214,8 +215,9 @@
    3.24  The most important difference is that RFC 821 addresses have no full name.
    3.25  
    3.26  Example:
    3.27 -
    3.28 +.nf
    3.29  map_return_path_addresses = "john: <jsmith@mail.academic.edu>; charlie: <cmiller@mx.commercial.com>"
    3.30 +.fi
    3.31  
    3.32  You can use patterns, eg. * as keys.
    3.33  
    3.34 @@ -275,17 +277,24 @@
    3.35  \fIcommand\fR will be called and all traffic will be piped to its stdin and from its stdout.
    3.36  Purpose is to tunnel ip traffic, eg. for ssl.
    3.37  
    3.38 -Example for ssl tunneling:
    3.39 +Example for SMTP over SSL tunneling:
    3.40 +.nf
    3.41 +wrapper="/usr/bin/openssl s_client \-quiet \-connect mail.gmx.net:465 2>/dev/null"
    3.42 +.fi
    3.43  
    3.44 -wrapper="/usr/bin/openssl s_client \-quiet \-connect mail.gmx.net:465 2>/dev/null"
    3.45 +SMTP over SSL is supported since masqmail-0.1.8.
    3.46 +It is marked obsolete by the IETF but is still in use.
    3.47  
    3.48 -Note: The above line works with masqmail,
    3.49 -but listening on Port 465 for SSL-encrypted connections is deprecated.
    3.50 -The modern way is STARTTLS (RFC-3207).
    3.51 -This could be covered by the following command.
    3.52 -Unfortunately, masqmail doesn't support that yet (as of 0.2.25).
    3.53  
    3.54 +Example for encryption with STARTTLS (RFC-3207):
    3.55 +.nf
    3.56 +# don't forget the instant_helo, otherwise it won't work
    3.57 +instant_helo=true
    3.58  wrapper="/usr/bin/openssl s_client \-quiet \-starttls smtp \-connect mail.gmx.net:25 2>/dev/null"
    3.59 +.fi
    3.60 +
    3.61 +This is supported since masqmail-0.2.28.
    3.62 +STARTTLS supersedes SMTP over SSL.
    3.63  
    3.64  Note for openssl:
    3.65  Ensure that stderr is redirected.