Christophe Kalt via Postfix-users:
> > > # postconf smtp_dns_support_level
> > > smtp_dns_support_level =
> > > # postconf -nf | egrep \^smtp
> > > smtp_destination_concurrency_limit = 1
> > > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
> > > smtp_tls_connection_reuse = yes
> > > smtp_tls_security_level = may
> >
> > Thanks, that's helpful. Turns out that the change in the default value
> > of insecure MX TLS policy had unanticipated implications. To be fixed
> > in the next set of patch releases. :-(
>
> Glad to hear you figured this out. I take it that the warnings are harmless
> and safe to ignore here?
If you build from source, below is a 'simple' patch. This prevents
the Postfix SMTP client from ignoring that DNSSEC is disabled. This
is likely to go into the stable releases.
Wietse
diff '--exclude=man' '--exclude=html' '--exclude=README_FILES'
'--exclude=INSTALL' '--exclude=.indent.pro' -r -ur
/var/tmp/postfix-3.11-20250217/src/smtp/smtp_addr.c ./src/smtp/smtp_addr.c
--- /var/tmp/postfix-3.11-20250217/src/smtp/smtp_addr.c 2024-10-10
18:15:24.000000000 -0400
+++ ./src/smtp/smtp_addr.c 2025-02-21 09:52:27.610195070 -0500
@@ -299,7 +299,8 @@
if (mx_names->dnssec_valid)
res_opt = RES_USE_DNSSEC;
#ifdef USE_TLS
- else if (smtp_tls_insecure_mx_policy > TLS_LEV_MAY)
+ else if (smtp_tls_insecure_mx_policy > TLS_LEV_MAY
+ && smtp_dns_support == SMTP_DNS_DNSSEC)
res_opt = RES_USE_DNSSEC;
#endif
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
