Overview of Ports Used per Authentication Method

[sj200449]

Hi All,

I followed the "Virtual Users And Domains With Postfix, Courier, MySQL And SquirrelMail (CentOS 6.0 x86_64)" found here:

http://www.howtoforge.com/virtual-us...tos-6.0-x86_64

On a freshly installed Basic Server (a cheap desktop PC I inherited and put some memory in). It worked fine for Squirrelmail. I would like to access it from outside my network with either Thunderbird or Outlook and my mobile phone.

This is a private mail server behind a household router.

I opened port 25 and port 993 on my router with ip forwarding/triggering to the correct machine.

It works for my mobile and for thunderbird (afaik, havent done that externally yet) but not for Outlook.

1. Why did I not have to tell postfix in main.cf my external facing ip address to accomodate the NAT? I had to do this before when not using vurtual users and mysql but real users. In fact main.cf doesnt appear to know much about my actual machine at all - just about some virtual stuff

2. Would someone point me in the right direction for an explanation of TLS which defaults to port 587, SSL which defaults to 465 and if using 25 is considered ok. I am confused about the stage in the authentication process any encryption is happening (if at all) and if the authentication is sent in plain text 'til complete then your link is encrypted.

3. As per above in 2. I have 993 open and am using ssl for imap reading but tls would default to 143 - which should I use really.

4. Why doesnt outlook work - do i need this broken_clients flag in main.cf or something?

Sorry for the vagueness and length. A good source would be great thank you.

-Stephen

[sj200449]

I have read around a little more on SSL/TLS and tested closing port 993 (IMAP using SSL) and opening port 143 (IMAP using TLS).

This also works.

I have also read that the SSL/TLS , with an exchange of certificates (self generated in my case), is initially used to authenticate and establish an encryption key to use for subsequent encryption of the reading of your email etc.

Does that sound right?

This makes me think that the initial setup is not encrypted - my login and passwd for example plus the cert - then it is encrypted.

Is that ok, it bothers me?

Moving on to writing emails... 25 or 465 or 587? Im gonna read about SMTPAUTHD now as Im guessing it is involved and working together with some form of 'writing' encryption.

[sj200449]

re question 4. - outlook 2003 issue , does need

broken_sasl_auth_clients = yes

However, it is already at yes so not sure where i will look next.

[falko]

Are there any errors in your mail log when you try to connect with Outlook?

[sj200449]

Thank you for your response.

No errors in maillog, no response noted there at all. I believe it may even be the firewalls / access-lists at work from where I am testing it. I shall investigate this.

On another note, the main.cf uses the older "smtpd_use_tls" directive but does not set "smtpd_enforce_tls".

Why not use "smtpd_tls_security_level" as it appears to be postfix version 2.6.6 on centos 6 , and why not enforce TLS as I am understanding this means PLAIN/LOGIN might under some circumstances be sent in plaintext?

[sj200449]

Btw , Im not using wrapper_mode but STARTTLS proper so I understand port 465 does not need to be open.

However, should I be opening 587 or 25 or both? Not sure on that bit. At present 25 is open. My MX record points to my router, and it forwards 25 to my mail server.

I apologise for the fragmented nature of these questions. Im learning as I go.