On Wed, 12 Nov 2025, Viktor Dukhovni via Postfix-users wrote:
On Tue, Nov 11, 2025 at 02:00:57PM -0800, Hans Carlson via Postfix-users wrote:
sender_dependent_relayhost_maps = hash:/etc/postfix/sender_relay
This changes only the nexthop hostname, but not the delivery transport.
Per the below, You'll need to set:
sender_dependent_default_transport_maps
sender_relay contains lines like this:
[email protected] [smtp.isp1.com]:465
[email protected] [smtp.isp1.com]:465
[email protected] [smtp.isp2.com]:587
[email protected] [smtp.isp2.com]:587
Replace this with:
main.cf:
indexed = ${default_database_type}:${config_directory}/
sender_dependent_default_transport_maps = ${indexed}sender_transport
sender_transport:
[email protected] smtps:[smtp.isp1.com]:465
[email protected] smtps:[smtp.isp1.com]:465
[email protected] smtp:[smtp.isp2.com]:587
[email protected] smtp:[smtp.isp2.com]:587
So, I first made this change and all was good. I was able to send email
from users @isp1.com and users @isp2.com without problems.
Then I went back and made the changes mentioned below regarding
smtp_tls_security_level=verify and reloaded the config and now I get this
message when I try to send from users @isp1.com and the mail is deferred.
warning: smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt"
(or stronger)
So it appears if I'm using smtp_tls_wappermode, then I can't set
smtp_tls_security_level = verify. And as you say, in my case
verify/encrypt end up being basically the same, so is there any reason NOT
to set it to encrypt in order to satisfy the smtp_tls_wrappermode
requirement?
I did change smtp_tls_secure_cert_match as you suggested, so currently I have:
smtp_tls_security_level = encrypt
smtp_tls_secure_cert_match = nexthop
smtp_tls_mandatory_ciphers = high
I assume I could leave main.cf as verify and add an override in master.cf
for "smtps" so it uses encrypt, but is that really that important if
they're essentially the same in my case?
With regards to smtp_tls_CAfile, that's set to this by default (I didn't
change it):
# postconf -p smtp_tls_CAfile
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
And that is from this package on Fedora 43:
Name : ca-certificates
Epoch : 0
Version : 2025.2.80_v9.0.304
Release : 1.1.fc43
Architecture : noarch
Installed size : 2.7 MiB
Source : ca-certificates-2025.2.80_v9.0.304-1.1.fc43.src.rpm
From repository : e869567dd59440279238aefd37a70f92
Summary : The Mozilla CA root certificate bundle
URL : https://fedoraproject.org/wiki/CA-Certificates
License : MIT AND GPL-2.0-or-later
Description : This package contains the set of CA certificates chosen by
the
: Mozilla Foundation for use with the Internet PKI.
Vendor : Fedora Project
smtp_tls_security_level = encrypt
Best practice here may be to set "smtp_tls_security_level = verify", and
configure "smtp_tls_CAfile" to a PEM with appropriate mainstream
certification authority certificates that make it possible to
authenticate the current and plausible future certificates used by the
ISP relays. The "verify" level is identical to the "secure" level in
almost all ways except for the default values of:
$ postconf -d smtp_tls_secure_cert_match smtp_tls_verify_cert_match
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_verify_cert_match = hostname
Since you're not doing MX lookups (the nexthops are all of the form
[hostname]:port), the nexthop is the hostname, so "verify" is slightly
more precise/strict in your case. If you explicitly set either
smtp_tls_secure_cert_match = nexthop
smtp_tls_secure_cert_match = hostname
the two are then equivalent (in your case):
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
