Thank you Viktor, you're correct on all counts. See below if you're
interested in how I screwed up.
Thanks again for all your help.
On Sun, 16 Nov 2025, Viktor Dukhovni via Postfix-users wrote:
On Sat, Nov 15, 2025 at 11:51:42AM -0800, Hans Carlson via Postfix-users wrote:
Then I went back and made the changes mentioned below regarding
smtp_tls_security_level=verify and reloaded the config and now I get this
message when I try to send from users @isp1.com and the mail is deferred.
warning: smtp_tls_wrappermode requires "smtp_tls_security_level = encrypt"
(or stronger)
You must not have made the change correctly. All transports that use
wrapper mode need that setting.
Yep, you're right. I actually did change the entry in main.cf to this:
smtp_tls_security_level = verify
But, based on a comment I added to the file, for some reason thought
verify was the default, so I left the line in, but commented it out,
making it use the actual default of empty.
And as you say, in my case verify/encrypt
end up being basically the same, so is there any reason NOT to set it to
encrypt in order to satisfy the smtp_tls_wrappermode requirement?
I did not say that. I said that "secure" and "verify" are the same,
whereas "encrypt" DOES NOT varify the remote server's certificate and
even supports (TLS 1.2 or earlier) anonymous TLS ciphers.
You're right. When I read those, I conflated "secure" and "encrypt"... so
I kept thinking "encrypt" was higher than "verify". I think this may be
why I got it stuck in my mind that "verify" was the default and thus
commented out the entry.
With regards to smtp_tls_CAfile, that's set to this by default (I didn't
change it):
# postconf -p smtp_tls_CAfile
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
Well, perhaps that's the default for the "distro" package main.cf, but
it is not a Postfix default (which is empty).
Yes... you're correct. I used the term "default" a bit too loosely. I
meant it was the "default" that came with the Fedora postfix package.
The actual postfix default is empty as you say.
postconf -d smtp_tls_CAfile
smtp_tls_CAfile =
And this is the original main.cf that came with the Fedora postfix
package:
grep smtp_tls_CAfile main.cf.ORIG
smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
