Since you got it working, I'll just comment on a couple of things...
On Mon, 12 Mar 2012, Richard Troy wrote:
When I do "postconf-a" it indicates cyrus and dovecot, so I take it that means Postfix has been built with sasl support. (I presume this means I don't have to compile it from source.)
Correct...
From the working environ, only listening on port 25, I simply added the following (as per directions already cited above):
You really should separate AUTH to the port that is designed for it: port 587 (aka the 'submission' port/service)... just uncomment it (and its attendant lines) in master.cf
The documentation found here:
http://www.postfix.org/TLS_README.html
claims (intimates) that it's not possible to run a site on a self-signed certificate,
Where does it state any such thing? I've been using self-signed certs for 8+years with postfix...
You do have to 'accept' the certs in the clients though, and that cn scare some users. I've had zero problems with this in Android, and none in recent versions of iOS, although earlier versions required you to install the cert manually (could be done using Safari on the iPhone)...
Also, Outlook provides no simple way to Accept a Cert and store it permanently (Thunderbird does), so unless/until Outlook users import the Cert, they'll have to accept it each time they fire up Outlook and check mail.
And, by the way, what's port 465 all about? Some clients propose that's what should be used to send...
It is the *deprecated* SMTPS (smtp over SSL). All modern clients can use the submission service, but some older versions of Outlook/Outlook Express can only use 465. It doesn't hurt anything to have it enabled, but you shoiuld absolutely tell all other clients to use the normal submissions service (STARTTLS on port 587).
--
Best regards,
Charles