On 10/18/2011 1:24 PM, Simon Brereton wrote:
>> smtpd_enforce_tls is obsolete, instead use
>> -o smtpd_tls_security_level=encrypt
>> This setting will reject all mail from unencrypted connections. The
>> "encrypt" setting must not be used on a public-facing port 25, but
>> is widely used and recommended on the submission port.
>>
>> smtpd_tls_auth_only prevents postfix from offering or accepting the
>> AUTH command until after an encrypted session is started. It is
>> commonly used on both the submission port and on port 25.
>>
>
> Thanks for the clarification. I'm using both without an issue (so far
> - I'm waiting for the one user - and there's always one) to tell me
> their client has stopped working.
The only problem you might see is with older clients and some
portable devices that don't support STARTTLS.
To get those stragglers, you can also enable smtps port 465 in
master.cf. Use the same options as submission adding
-o smtpd_tls_wrappermode=yes
-- Noel Jones
