Please open an issue in GitHub for problems with postfix-tlspol in the future. I can say that you probably misconfigured something. It has to say ‚Verified TLS‘, so it didn‘t work in your case.
Did you use the correct port and socketmap verb? It isn‘t the same as postfix-mta-sts-resolver (socketmap:inet:127.0.0.1:8461:postfix), but rather socketmap:inet:127.0.0.1:8642:QUERY Best, Ömer > Am 09.02.2025 um 16:36 schrieb Ömer Güven <omer.gu...@zuplu.com>: > > I can only endorse this. Simply setting it to „dane“ should solve the hassle > and make the operation more consistent and predictable. > > Thanks, > Ömer > >> Am 09.02.2025 um 15:58 schrieb Wietse Venema via Postfix-users >> <postfix-users@postfix.org>: >> >> I think that the mistake was to make smtp_tls_dane_insecure_mx_policy >> dependent on smtp_tls_security_level >> >> Will it please Viktor and Omer if I change the default to >> >> smtp_tls_dane_insecure_mx_policy = dane >> >> That seems to have less of a WTF factor. >> >> Here is my motivation to make make dane policy evaluation NOT >> dependent on smtp_tls_security_level. >> >> In today's world it seems natural, to me at least, to set >> smtp_tls_security_level to 'may' as a default baseline for all >> deliveries, and then use policy lookup for sites that are ready for >> stronger security. >> >> For this reason alone, smtp_tls_security_level is not a good >> way to express how to handle a DANE half-edge case. >> >> Asking people to configure different transports for this case, >> kind of defeats the purpose of having smtp_tls_policy_maps. >> >> Thus, I propose to decouple smtp_tls_dane_insecure_mx_policy >> from smtp_tls_security_level >> >> Starting with today's baseline level of 'may', Over time one can >> evolve the baseline to 'encrypt', and eventually use 'secure' as >> the baseline, and (NOTE: role switch!) use samtp_tls_policy_maps >> for sites that need weaker security. >> >> So there is my longer-term perspective: today, use policy maps to >> harden security for specific sites. In the future, use use policy >> maps to weaken security for specific sites. >> >> Decoupling smtp_tls_dane_insecure_mx_policy from smtp_tls_security_level >> will delay the Postfix 3.10.0 stable release by another day, but it >> would be worth it. >> >> Wietse >> _______________________________________________ >> Postfix-users mailing list -- postfix-users@postfix.org >> To unsubscribe send an email to postfix-users-le...@postfix.org > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
