On Tue, 29 Jul 2008, Victor Duchovni wrote: > On Tue, Jul 29, 2008 at 03:32:52PM +0200, Matthias Andree wrote: > > > Greetings, > > > > I have recently upgraded from a homebrewn Postfix 2.4 or 2.5 > > /experimental/ package to openSUSE 11.0's official package, which is > > based on postfix-2.5.1. > > > > smtp_sasl_tls_verified_security_options apparently stopped working after > > the upgrade. > > There has never been an official release where this feature is fully > implemented. The code for 2.6 is ready, but it is in the review queue > behind multi-instance support.
Well - then the smtp(8) manpage and "postfix -n" could need fixing for the next 2.5.X and 2.4.Y releases to remove this confusion, as the former (as of 2.5.1, I didn't check 2.4.X) states: | Available in Postfix version 2.4 and later: | | smtp_sasl_tls_verified_security_options ($smtp_sasl_tls_security_options) | | The SASL authentication security options that the Postfix SMTP | client uses for TLS encrypted SMTP sessions with a verified server | certificate. And postconf -n shows that Postfix has accepted this option - it might want to log/print a warning instead... Both facts together made me believe the feature made it into 2.5. Please correct me if I'm wrong, I think I'm safe using smtp_sasl_tls_security_options instead with smtp_tls_security_level and the corresponding legacy options empty (unset) - except for a few listed sites that require "secure" level (per smtp_tls_policy_maps) - so I'll only ever have TLS if it's verified given my smtp_tls_policy_maps shown earlier (all lines are "[blah.example.org]:25 secure match=nexthop"). Thanks & best regards -- Matthias Andree
