On Sat, Nov 15, 2025 at 11:51:42AM -0800, Hans Carlson via Postfix-users wrote:
> So, I first made this change and all was good. I was able to send email
> from users @isp1.com and users @isp2.com without problems.
Glad to see (no surprise) that sender dependent transports are working
for you as documented and expected.
> Then I went back and made the changes mentioned below regarding
> smtp_tls_security_level=verify and reloaded the config and now I get this
> message when I try to send from users @isp1.com and the mail is deferred.
>
> warning: smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt"
> (or stronger)
You must not have made the change correctly. All transports that use
wrapper mode need that setting.
> So it appears if I'm using smtp_tls_wappermode, then I can't set
> smtp_tls_security_level = verify.
That's not the case, the "or stronger" includes "verify".
https://github.com/vdukhovni/postfix/blob/cafda9a4d1e83d953a22ba5e3859ab0e6160926e/postfix/src/smtp/smtp_connect.c#L1200-L1206
if (var_smtp_tls_wrappermode
&& state->tls->level < TLS_LEV_ENCRYPT) {
msg_warn("%s requires \"%s = encrypt\" (or stronger)",
VAR_LMTP_SMTP(TLS_WRAPPER), VAR_LMTP_SMTP(TLS_LEVEL));
continue;
/* XXX Assume there is no code at the end of this loop. */
}
https://github.com/vdukhovni/postfix/blob/cafda9a4d1e83d953a22ba5e3859ab0e6160926e/postfix/src/tls/tls.h#L41-L51
#define TLS_LEV_INVALID -2 /* sentinel */
#define TLS_LEV_NOTFOUND -1 /* XXX not in policy table */
#define TLS_LEV_NONE 0 /* plain-text only */
#define TLS_LEV_MAY 1 /* wildcard */
#define TLS_LEV_ENCRYPT 2 /* encrypted connection */
#define TLS_LEV_FPRINT 3 /* "peer" CA-less verification
*/
#define TLS_LEV_HALF_DANE 4 /* DANE TLSA MX host, insecure
MX RR */
#define TLS_LEV_DANE 5 /* Opportunistic TLSA policy */
#define TLS_LEV_DANE_ONLY 6 /* Required TLSA policy */
#define TLS_LEV_VERIFY 7 /* certificate verified */
#define TLS_LEV_SECURE 8 /* "secure" verification */
Somehow, your "effective" TLS level was either "may", "none" or invalid.
> And as you say, in my case verify/encrypt
> end up being basically the same, so is there any reason NOT to set it to
> encrypt in order to satisfy the smtp_tls_wrappermode requirement?
I did not say that. I said that "secure" and "verify" are the same,
whereas "encrypt" DOES NOT varify the remote server's certificate and
even supports (TLS 1.2 or earlier) anonymous TLS ciphers.
> I did change smtp_tls_secure_cert_match as you suggested, so currently I have:
>
> smtp_tls_security_level = encrypt
> smtp_tls_secure_cert_match = nexthop
> smtp_tls_mandatory_ciphers = high
You need "smtp_tls_security_level = verify".
> I assume I could leave main.cf as verify and add an override in master.cf
> for "smtps" so it uses encrypt, but is that really that important if they're
> essentially the same in my case?
They are NOT the same.
> With regards to smtp_tls_CAfile, that's set to this by default (I didn't
> change it):
>
> # postconf -p smtp_tls_CAfile
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Well, perhaps that's the default for the "distro" package main.cf, but
it is not a Postfix default (which is empty).
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
