On Wed, Jun 20, 2012 at 05:27:24PM -0400, Matt Van Mater wrote:
> However, it strikes me as strange that developers went through the
> trouble of automatically configuring "smtpd_use_tls = yes" for
> client/servers that support STARTTLS, when that setting has little
> value if the smtp_tls_security_level setting is not also changed.
> What other purpose does the smtpd_use_tls setting have, except to
> explicitly disable the protocol?
Your assumptions are flawed. The legacy (shown with default value):
smtp_enforce_tls = no
smtp_use_tls = no
smtpd_enforce_tls = no
smtpd_use_tls = no
boolean parameters are simply obsolete, you should not use these.
They have no effect when the new (shown with default value):
smtp_tls_security_level =
smtpd_tls_security_level =
security level parameters are set to a non-empty value. Just
specify the security level you want, the older settings are
compatibility crutches for obsolete, but still supported configurations
(Postfix does not capriciously break existing configurations).
> ... perhaps you might consider adding a log message such as:
> "WARNING remote server advertised support of STARTTLS but
> smtp_tls_security_level is defined as none; communications will not be
> encrypted."
http://www.postfix.org/postconf.5.html#smtp_tls_note_starttls_offer
--
Viktor.
