I am confused by the following Postfix definition of 'smtpd_tls_auth_only' & 'smtpd_tls_security_level' & would appreciate if someone could please help me understand this. TLS configuration is new to me so I appologise for my ignorance and I did bother to review:
http://www.postfix.org/postconf.5.html#smtpd_tls_security_level In my Postfix main.cf, I have the following TLS parameters: smtpd_use_tls = yes #announce STARTTLS support to SMTP clients, but do not require that clients use TLS encryption. smtpd_tls_loglevel = 1 #loglevel smtpd_tls_cert_file = /etc/ssl/certs/mail.crt # Cert file smtpd_tls_key_file = /etc/ssl/private/mail.key # Key file smtpd_tls_session_cache_database = btree:/var/lib/postfix/smtpd_scache smtp_tls_session_cache_database = btree:/var/lib/postfix/smtp_scache smtpd_tls_security_level = may # ? smtpd_tls_auth_only = yes # ? My confusion is the bottom two parameters. I know that if I change 'may' to 'encrypt' in 'smtpd_tls_security_level', I then am forcing all clients to require TLS connection to Postfix. This is understood but then I see 'smtpd_tls_auth_only', I get confused because it seems redundant to me with 'smtpd_use_tls'. According below to the definition of 'smtpd_tls_auth_only = yes', I thought 'smtpd_use_tls' announces STARTTLS to SMTP clients...and I have 'smtpd_tls_auth_only = yes' and clients can still send SMTP email with out mandatory TLS. I don't understand why unless I am confused about it's function. "Mandatory TLS: announce STARTTLS support to SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. This option is off by default and should be used only on dedicated servers." So when I have 'smtpd_tls_auth_only = yes', I am still able to send SMTP mail w/o TLS configured on my client. Is this expected behavior or am I missing something here? Does anyone mind please clarifying this for me?
