On Tue, 16 Jul 2013 18:10:27 -0500, /dev/rob0 <r...@gmx.co.uk> wrote: > Sure, this works, but why is it a problem? Why not just enforce TLS > where it is needed? > > http://www.postfix.org/TLS_README.html#client_tls_policy > http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps > > A Postfix which is using a relayhost is not going to connect to > random Internet sites, and it is definitely not going to attempt to > AUTH at any site not configured in $smtp_sasl_password_maps.
Maybe I'm being paranoid, but because not all my relays support TLS I cannot be stricter than smtp_tls_security_level = may without also having separate transports (if I understand correctly). So if I do not set noplaintext and someday one of the usually-TLS-enabled relays doesn't offer TLS (config hickup...), postfix will AUTH. -- Vincent Pelletier
