On 13 October 2011 19:16, Noel Jones <njo...@megan.vbhcs.org> wrote:
> On 10/13/2011 5:41 PM, Mark Homoky wrote:
>> On 11 Oct 2011, at 15:54, "Simon Brereton" <simon.brere...@buongiorno.com>
>> wrote:
>>
>>>>>
>>>>> this is obseleted (I'm running 2.7.1) and to use
>>>>> smtpd_tls_security_level = may instead - however, vim tells me that
>>>>> the former is a valid configurable (it's highlighted) whilst the
>>>>> latter is not. That's part of my confusion.
>>>>
>>>> The authors of vim are not Postfix experts.
>>>
>>> Among the other things it's not practical enough to know is how vim does
>>> this anyway. I assumed there was some sort of file it checks in the
>>> postfix sources. But I'll amend this.
>>
>> No, it's a vim syntax file IIRC.
>
>
> Yes.
>
>
>> It might be useful for someone senior in Postfix development to look this
>> over?
>>
>
> Postfix evolves, the vim syntax file hasn't. Updating the current
> vim syntax file probably isn't terribly complicated, but is well
> outside the scope of postfix and would be an ongoing project.
>
> If you want to fix it, just go through the postconf(5) and
> master(5) man pages and make sure all valid parameters are included
> in the vim file (Probably near 800 if you also include all the valid
> smptd_*_restrictions options).
>
> My solution would be to remove the misleading vim syntax file.
With all due respect to Mr Jones - for the inexperienced among us that
would be like amputating the leg to fix a broken ACL. No, the message
is clear - believe the postconf (5) more than the pretty colours in
vim. Problem solved.
If it bugged me enough I'd file a bug report with the vim people. I
may yet do that in the spirit of contributing to opensource since I
can't code worth a fig.
I'd still like some more hand-holding on my earlier questions in
response to Viktor..
> With no other settings for the SMTP client, outgoing TLS is disabled
> on your machine. You need "smtp_tls_security_level = may".
Thanks - you've already made the TLS_README more understandable. I've
added that. Do I need to add other parameters?
smtp_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_CAfile = ?
smtp_tls_cert_file = ?
smtp_tls_key_file = ?
smtp_tls_loglevel = 1
> > smtpd_tls_CAfile = /etc/ssl/keys/ca.crt smtpd_tls_cert_file =
> > /etc/ssl/keys/mail..net.crt
>
> Not needed, you neither ask for nor verify client certs.
Should I be? And if so, how do I do that? Bearing in mind, I think
I'd only want to verify them if they are actually used.
But the errors in my log are down and so for now I can live with it
unless anyone has anything more to add. The problem with TLS/SSL is
one always has the horrible suspicion one has left a gaping back-door
open...
Simon
