On Sun, Sep 08, 2024 at 01:36:39AM +0200, hostmaster--- via Postfix-users wrote:
>
> smtp inet n - - - - smtpd
> -o smtpd_tls_security_level=encrypt
I thought you were using postscreen? This is smtpd(8) listening
directly on port 25. For use postscreen, you want the setting for both
the postscreen(8) service and the protected smtpd(8) service.
smtp inet n - n - 1 postscreen
-o smtpd_tls_security_level=encrypt
smtpd pass - - n - - smtpd
-o smtpd_tls_security_level=encrypt
> 127.0.0.1:10025 inet n - - - - smtpd
> ....
> -o smtpd_tls_security_level=may
Not much point in "may" here, "none" makes more sense. Although another
approach is to in fact set:
main.cf:
smtpd_tls_security_level=encrypt
but then meticulous add acceptions to any smtpd(8) master.cf entries
that should not be subject to this policy. And of course, I'd negligent
to not mention that I don't recommend a hard requirement of TLS on port
25, you may one day reject some important mail and not even know it,
and if STARTTLS stops working, you may be rejecting all mail until it
is fixed.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
