On Sun, Nov 16, 2025 at 10:08:19AM -0800, Hans Carlson via Postfix-users wrote:
> You're right. When I read those, I conflated "secure" and "encrypt"... so I
> kept thinking "encrypt" was higher than "verify". I think this may be why I
> got it stuck in my mind that "verify" was the default and thus commented out
> the entry.
Well, true to its name, "encrypt" just makes sure that the traffic is
not in the clear, but without any verification of the server certificate.
The levels are documented:
https://www.postfix.org/postconf.5.html#smtp_tls_security_level
https://www.postfix.org/TLS_README.html#client_tls_levels
https://www.postfix.org/TLS_README.html#client_tls_none
https://www.postfix.org/TLS_README.html#client_tls_may
https://www.postfix.org/TLS_README.html#client_tls_encrypt
https://www.postfix.org/TLS_README.html#client_tls_dane
https://www.postfix.org/TLS_README.html#client_tls_dane-only
https://www.postfix.org/TLS_README.html#client_tls_fingerprint
https://www.postfix.org/TLS_README.html#client_tls_verify
https://www.postfix.org/TLS_README.html#client_tls_secure
> The actual postfix default is empty as you say.
>
> postconf -d smtp_tls_CAfile
> smtp_tls_CAfile =
>
> And this is the original main.cf that came with the Fedora postfix package:
>
> grep smtp_tls_CAfile main.cf.ORIG
> smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
I should not be surprised to hear that many users start with the OS
distribution's, rather than (as in my case) an empty main.cf file and
make changes from there. And even use the distributed package rather
thatn build from source. :-)
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
