Hello,
On 24.10.2024 08:24, Viktor Dukhovni via Postfix-users wrote:
Yes, of course, as documented. TLS is off by default, this is
backwards-compatible behaviour, and Postfix aims to not "surprise"
operators with unexpected new behaviour after an upgrade. Default
settings are in part also the responsibility of vendor distributions
that determine how the Postfix software is built, and what settings
are used in initial deployments.
Now perhaps at this point, we could (if Wietse concurs) change the
default security level to "may" when (almost always nowdays) TLS is
enabled at compile time. Gmail stats for TLS in/out are quite close
lately to 100% in both directions:
But with "TLS on by default out of the box", who and how will be
responsible for providing the valid certificates? I am not sure it can
(and should) be handled automatically, as it requires an operator to
make certain policy and technical decisions as well as to specify
various data values. Even when using, e.g., a script from Dovecot to
generate a self-signed certificate.
Best wishes
Eugene
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
