On Wed, Oct 23, 2024 at 07:15:31PM +0800, Wesley via Postfix-users wrote:
> please see this default value,
>
> # postconf -d smtp_tls_security_level
> smtp_tls_security_level =
The default value maintains backwards-compatibility with Postfix ~2.2
when TLS support was first merged into Postfix based on original patches
by Lutz Jänicke. At the time TLS client security was defined by
separate boolean parameters:
smtp_use_tls
smtp_enforce_tls
smtp_tls_enforce_peername
These separate parameters were subsumed by the single
smtp_tls_security_level
and are now obsolete, but the default behaviour is to honour these
legacy parameters, when their replacement is not explicitly specified.
> does this mean if using the default value, Postfix will deliver
> messages to peer MTA without using ssl/tls always, even the peer
> supports encryption connection?
No, see above. But note that with opportunistic TLS, i.e. either of:
- smtp_use_tls = yes
smtp_enforce_tls = no
- smtp_security_level = may
Postfix will fall back to cleartext transmission when either the remote
server does not offer STARTTLS, or when STARTTLS fails to be negotiated
(by default once a message has been in the queue for a minimum time).
If you really want mandatory TLS, and can afford to not be able to send
email to non-TLS peers, then you'd need at least:
smtpd_tls_security_level = encrypt
What's still missing is a way to specify "encrypt" as a minimum fallback
from "dane", when the remote MX host does not have DNSSEC signed TLSA
records. This requires some spare cycles to implement.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
