On Wed, Mar 05, 2025 at 12:30:46PM +0100, Herbert J. Skuhra via Postfix-users wrote: > On Mon, 28 Jan 2019 13:59:23 +0100, Stefan Bauer wrote:
> > we would like to go the next step, enable smtp_tls_security_level = dane. > > Currently we have encrypt site-wide. > > > > But in cases where remote sites do not have published key material, the > > fallback is may with dane, which is a step back in terms of security and > > not wanted. > > Is this possible by now? :-) > > I guess not, after reading > https://www.postfix.org/postconf.5.html#smtp_tls_security_level. Yes, this is not currently implemented. A fully supported version of this would need to be configurable, and would likely be further generalised. But if you're willing to build Postfix from patched source, the below would suffice to hard-code "encrypt" as the only fallback from "dane": --- src/smtp/smtp_tls_policy.c +++ src/smtp/smtp_tls_policy.c @@ -926,7 +926,7 @@ static void PRINTFLIKE(4, 5) dane_incompat(SMTP_TLS_POLICY *tls, va_start(ap, fmt); if (tls->level == TLS_LEV_DANE) { - tls->level = (errtype == DANE_CANTAUTH) ? TLS_LEV_ENCRYPT : TLS_LEV_MAY; + tls->level = TLS_LEV_ENCRYPT; if (errtype == NONDANE_CONFIG) vmsg_warn(fmt, ap); else if (msg_verbose) -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
