Geert Hendrickx:
> On Thu, Oct 24, 2024 at 11:33:22 -0400, Wietse Venema via Postfix-users wrote:
> > And for the Postfix SMTP server, this would add two guards
> > to Viktor's example:
> >
> > smtpd_tls_security_level =
> > ${{$compatibility_level} >=level {3.10} ?
> > {${built_with_tls ?
> > {${smtpd_tls_chain_files ? {may} :
> > {${smtpd_tls_cert_file ? {may} :
> > {${smtpd_tls_eccert_file ? {may} :
> > {${smtpd_tls_dcert_file ? {may}}}}}}}}}}}}
> >
> > Configuration like this is ugly, and is acceptable only for
> > compiled-in default settings.
>
>
> I would think that a postfix installer or packager that installs a default
> certificate, can also add an explicit "smtpd_tls_security_level = may" to
> the accompanying main.cf, so all these conditions are not really necessary
> for the server side?
Agreed, this would not work "out of the box" because of the external
dependency.
This may be done instead with the command "postfix tls enable-server",
which generates a certificate and which sets smtpd_tls_security_level.
> For the client side, with no dependencies beyond "built_with_tls", it's a
> good idea.
Agreed, this would work out of the box.
This would make the command "postfix tls enable-client" mostly obsolete.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
