Opened 7 months ago
Last modified 6 months ago
#3033 new task
lists.osgeo.org does not support port 587 starttls and mail.osgeo.org does not work with SSL
| Reported by: | robe | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Sysadmin Contract 2024-III |
| Component: | SysAdmin/Postfix | Keywords: | |
| Cc: |
Description
I ran into this issue recently when experimenting with setting up discourse and also ran into it setting up video.osgeo.org.
Most apps these days default to port 587 / starttls.
As far as I can tell port 587 on osgeo6 is not reachable from our other hosts (or not at all) though I thought it was at some point in time. Or maybe postfix is no longer using that port?
At anyrate port 25 (with or without SSl works), port 465 with or without SSL works.
I should also note that when ssl is enabled, mail.osgeo.org often fails cause I guess we have no cert for mail.osgeo.org.
If we ever detangle lists.osgeo.org from the mail server, then this will become an issue.
I'm almost tempted to start a new mail.osgeo.org perhaps running in a container, but not sure if that will cause issues.
Change History (3)
comment:1 by , 7 months ago
comment:2 by , 6 months ago
| Milestone: | Unplanned → Sysadmin Contract 2024-III |
|---|
comment:3 by , 6 months ago
I get the tangling problem, but
- mailing list hosts need not implement submission as they do not serve MUAs
- one can have alternative names in certs so they are valid for two names
I think for now it's ok to not support port 587 (submission, optionally with STARTSSL) and use port 465 (submissions, using SSL).
Port 25 is for MTA (mail transport agent) which receives email from a MSA (mail submission agent) which receives it from a MUA (mail user agent)
See:
The SSL certificate used for mail.osgeo.org belongs to name lists.osgeo.org so for now use that name. When/if we change that certificate name we will need to update instructions for the submissions service on the wiki (no link handy at the moment). For MTA/25/STARTTLS I guess it would be useful for the MX record host ame to match the certificate name, I didn't check how it looks at the moment