On Sun, Sep 22, 2024 at 05:54:38AM +0800, Wesley via Postfix-users wrote:
> Here are the output of my postconf -nf (it's quite simple). can you
> give suggestions for better options? Thanks in advance.
This is not a very productive way to get help, you really should be
asking *specific* questions, with some background about the motivating
requirements.
> $ sudo postconf -nf
> relayhost = [mail.xx.com]:587
> smtp_sasl_password_maps = static:xx #[hidden]
This one is fragile, and might leak the password to the wrong remote
server. Also, the password is world-reable (main.cf is not
read-protected). Instead use a file.
main.cf:
smtp_sasl_password_maps = texthash:${config_directory}/pwmaps
pwmaps (mode 0600):
# actually hidden
[mail.xx.com]:587 sesame
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> smtp_tls_note_starttls_offer = yes
> smtp_tls_security_level = encrypt
The CAfile is not particularly useful, you're not authenticating remote
systems. With a fixed relayhost to which you're sendign a plaintext
password, you should probably set:
smtp_tls_security_level = secure
and at that point, the CAfile will actually be of some use.
> smtp_use_tls = yes
Obsolete NOOP.
> smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
Not needed, because session tickets obviate the need for a session
cache.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
