J.P. Trosclair wrote, at 03/04/2009 04:05 PM: > LuKreme wrote: >> On 4-Mar-2009, at 13:08, J.P. Trosclair wrote: >>> submission inet n - - - - smtpd >>> -o smtpd_tls_security_level=encrypt >> >> >> Why? >> > > I didn't explicitly add it. It was a left over from the default > master.cf for the postfix package on debian 5.0. It's gone and > everything is good, for now.
Put it back. smtpd_enforce_tls is deprecated since Postfix 2.3 and smtpd_tls_security_level should be used instead. Furthermore, you should leave it set to encrypt. Part of the value of running a submission service on port 587 is that it allows you to severely restrict connections in a way that is acceptable to ISPs, who are blocking outgoing connections to SMTP port 25. If admins begin relaxing the restrictions on port 587 without understanding the ramifications, ISPs might start blocking it, too, which is bad for residential and roaming users who need it in order to relay mail through the desired server. An important part of this is encrypting all connections to port 587. It's easy enough to set up another (local) port in master.cf that will serve your purpose (or someone might even be able to suggest an alternative approach).
