masqmail
changeset 223:9814e75de61c
updated docs to STARTTLS wrappers
author | meillo@marmaro.de |
---|---|
date | Fri, 23 Jul 2010 11:18:20 +0200 (2010-07-23) |
parents | 8cddc65765bd |
children | 996b53a50f55 |
files | docs/simple-relay-setup examples/openssl.route man/masqmail.route.5 |
diffstat | 3 files changed, 34 insertions(+), 15 deletions(-) [+] |
line diff
1.1 --- a/docs/simple-relay-setup Fri Jul 23 10:57:53 2010 +0200 1.2 +++ b/docs/simple-relay-setup Fri Jul 23 11:18:20 2010 +0200 1.3 @@ -38,8 +38,12 @@ 1.4 1.5 # where to relay to; the address and port of the smart host 1.6 mail_host = "mail.gmx.net:25" 1.7 - # use the wrapper to enable encryption 1.8 - #wrapper = "openssl s_client -quiet -connect mail.gmx.net:465 2>/dev/null" 1.9 + # use a wrapper to enable encryption 1.10 + # for STARTTLS on port 25: 1.11 + #instant_helo=true 1.12 + #wrapper="/usr/bin/openssl s_client -quiet -starttls smtp -connect mail.gmx.net:25 2>/dev/null" 1.13 + # for SMTP over SSL on port 465: 1.14 + #wrapper = "/usr/bin/openssl s_client -quiet -connect mail.gmx.net:465 2>/dev/null" 1.15 1.16 do_correct_helo = true 1.17
2.1 --- a/examples/openssl.route Fri Jul 23 10:57:53 2010 +0200 2.2 +++ b/examples/openssl.route Fri Jul 23 11:18:20 2010 +0200 2.3 @@ -6,9 +6,15 @@ 2.4 2.5 # encryption is done by communicating through openssl 2.6 2.7 -wrapper="/usr/bin/openssl s_client -quiet -connect mail.gmx.net:465 2>/dev/null" 2.8 -# you may want to tell openssl where the certificates are stored 2.9 -#wrapper="/usr/bin/openssl s_client -quiet -CApath /etc/ssl -connect mail.gmx.net:465 2>/dev/null" 2.10 +# Today usually STARTTLS (RFC-3207) is used: 2.11 +# don't forget the instant_helo, otherwise it won't work, because the wrapper eats the 220 greeting 2.12 +instant_helo=true 2.13 +wrapper="/usr/bin/openssl s_client -quiet -starttls smtp -connect mail.gmx.net:25 2>/dev/null" 2.14 + 2.15 +# The old way is SMTP over SSL; the IETF had marked it obsolete: 2.16 +# don't use instant_helo here 2.17 +#wrapper="/usr/bin/openssl s_client -quiet -connect mail.gmx.net:465 2>/dev/null" 2.18 + 2.19 2.20 # which addresses are allowed through this route? 2.21 allowed_return_paths = "*@gmx.de;*@gmx.net"
3.1 --- a/man/masqmail.route.5 Fri Jul 23 10:57:53 2010 +0200 3.2 +++ b/man/masqmail.route.5 Fri Jul 23 11:18:20 2010 +0200 3.3 @@ -80,7 +80,7 @@ 3.4 after opening the connection. 3.5 Instead it says EHLO right away (ESMTP is assumed). 3.6 Use this option with wrappers that eat the 220 greeting of the SMTP server. 3.7 -Common examples are STARTTLS wrappers, like `openssl -starttls smtp ...'. 3.8 +Common examples are STARTTLS wrappers, like `openssl s_client -starttls smtp ...'. 3.9 3.10 If this option is set and a 220 greeting is received though, 3.11 everything should still work. 3.12 @@ -188,8 +188,9 @@ 3.13 the local parts (the keys) are separated from the addresses (the values) by colons (`:'). 3.14 3.15 Example: 3.16 - 3.17 +.nf 3.18 map_h_from_addresses = "john: John Smith <jsmith@mail.academic.edu>; charlie: Charlie Miller <cmiller@mx.commercial.com>" 3.19 +.fi 3.20 3.21 You can use patterns, eg. * as keys. 3.22 3.23 @@ -214,8 +215,9 @@ 3.24 The most important difference is that RFC 821 addresses have no full name. 3.25 3.26 Example: 3.27 - 3.28 +.nf 3.29 map_return_path_addresses = "john: <jsmith@mail.academic.edu>; charlie: <cmiller@mx.commercial.com>" 3.30 +.fi 3.31 3.32 You can use patterns, eg. * as keys. 3.33 3.34 @@ -275,17 +277,24 @@ 3.35 \fIcommand\fR will be called and all traffic will be piped to its stdin and from its stdout. 3.36 Purpose is to tunnel ip traffic, eg. for ssl. 3.37 3.38 -Example for ssl tunneling: 3.39 +Example for SMTP over SSL tunneling: 3.40 +.nf 3.41 +wrapper="/usr/bin/openssl s_client \-quiet \-connect mail.gmx.net:465 2>/dev/null" 3.42 +.fi 3.43 3.44 -wrapper="/usr/bin/openssl s_client \-quiet \-connect mail.gmx.net:465 2>/dev/null" 3.45 +SMTP over SSL is supported since masqmail-0.1.8. 3.46 +It is marked obsolete by the IETF but is still in use. 3.47 3.48 -Note: The above line works with masqmail, 3.49 -but listening on Port 465 for SSL-encrypted connections is deprecated. 3.50 -The modern way is STARTTLS (RFC-3207). 3.51 -This could be covered by the following command. 3.52 -Unfortunately, masqmail doesn't support that yet (as of 0.2.25). 3.53 3.54 +Example for encryption with STARTTLS (RFC-3207): 3.55 +.nf 3.56 +# don't forget the instant_helo, otherwise it won't work 3.57 +instant_helo=true 3.58 wrapper="/usr/bin/openssl s_client \-quiet \-starttls smtp \-connect mail.gmx.net:25 2>/dev/null" 3.59 +.fi 3.60 + 3.61 +This is supported since masqmail-0.2.28. 3.62 +STARTTLS supersedes SMTP over SSL. 3.63 3.64 Note for openssl: 3.65 Ensure that stderr is redirected.