On Fri, Feb 28, 2025 at 11:55:14AM +0100, Jaroslaw Rafa via Postfix-users wrote:
> > Mandatory STARTTLS is not unencrypted. Postfix-to-Postfix over port 587
> > is not less secure than over 465. Just an extra couple of network
> > round-trips that don't much matter in email. Think of it as a less than
> > optimal TCP handshake before TLS starts.
>
> The OP insists that he wants to use wrapper mode and not STARTTLS, so I
> suggested the solution to do so. Configure stunnel from for example
> localhost:10000 to relay_server:465, and set in Postfix config to use just
> localhost:10000 as a relay, without STARTTLS at all.
>
> Stunnel is a great tool when you want to make a TLS-wrapped connection from,
> or to, something that doesn't support TLS wrapper mode natively :)
A reasonable choice when you don't have other adequate options, but here
Postfix natively supports STARTTLS, and avoiding the complexity of an
additional dependency to configure and manage more than compensates for
the tiny increase in latency. Solving the STARTTLS "problem" by
introducing a proxy is a poor tradeoff.
The OP was looking for native support in Postfix for per-nexthop
(fallback nexthop) or port-specific wrapper mode. As Wietse noted,
this isn't presently available.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
