On Sat, Nov 02, 2024 at 06:53:56PM -0400, Wietse Venema via Postfix-users wrote:
> example.com relay:[inside-gateway.example.com]:port
>
> The port can be numeric (465, 587) or symbolic (smtps, submissions,
> submission).
With port 465 (a.k.a. "smtps"), don't forget to use a dedicated clone of
the "relay" transport, whose master.cf entry includes:
-o { smtp_tls_wrappermode = yes }
-o { smtp_tls_security_level = secure }
-o { smtp_tls_CAfile = /path/to/trusted-CAs.pem }
Otherwise, without "wrapper mode", it will attempt to use "STARTTLS"
over initially cleartext SMTP, which won't work with "implicit TLS" on
port 465.
The remaining options are equally application to 587 ("submission"):
You'll need to configure trust in a suitable list of trust-anchor CAs
that might be expected to (perhaps indirectly via subsidiary "issuer"
CAs) be the issuers of the certificate for the internal mailhub.
If verifying the authenticity of the connection is ETOOHARD, change the
security-level to "encrypt" (if you have DNSSEC and well-maintained and
monitored TLSA records for the internal hub, you could use "dane-only").
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
