On Wed, Jul 17, 2013 at 08:19:56AM +0200, Vincent Pelletier wrote:
> Maybe I'm being paranoid, but because not all my relays support TLS I
> cannot be stricter than
> smtp_tls_security_level = may
> without also having separate transports (if I understand correctly).
> So if I do not set noplaintext and someday one of the
> usually-TLS-enabled relays doesn't offer TLS (config hickup...),
> postfix will AUTH.
The suggestion is I believe to use smtp_tls_policy_maps to ensure
that TLS is used for destinations where you will be using plaintext
authentication.
# MITM resistant authenticated TLS
[smtp.example.com]:587 secure match=smtp.example.com
# MITM vulnerable unauthenticated TLS
[smtp.example.com]:587 encrypt
# Some day when provider adopts DNSSEC and publishes a suitable TLSA
# RRset and you've deployed Postfix 2.11
#
[smtp.example.com]:587 dane-only
--
Viktor.
