On 10/30/2012 2:52 AM, thorso...@lavabit.com wrote: > Hi, > > How to configure Postfix to reject unencrypted connections? > > Will the following do the job? > > smtp_tls_security_level = encrypt > smtpd_tls_security_level = encrypt
The above two settings are sufficient to require encryption on every connection. Note these settings are not appropriate for an internet-facing server. > smtp_tls_mandatory_protocols = TLSv1 > > Should I enable "smtpd_tls_auth_only = yes" and > "smtp_tls_policy_maps" along with the above commands? Setting "smtpd_tls_auth_only = yes" may discourage misconfigured clients from sending credentials in cleartext. smtp_tls_policy_maps is only needed if different destinations have different TLS policy requirements. > > Could you elaborate on "verify", "secure", and > "smtp_tls_policy_maps"? [1] > > [1] http://www.postfix.org/postconf.5.html In addition to http://www.postfix.org/postconf.5.html#smtp_tls_security_level please also see http://www.postfix.org/TLS_README.html Is there something unclear in the documentation? -- Noel Jones
