On 2013-10-14 20:10, Viktor Dukhovni wrote:
On Mon, Oct 14, 2013 at 08:12:01AM -0400, Dan Langille wrote:
The master.cf has something like this:
64.147.113.42:5587 inet n - n - - smtpd
-o smtp_tls_security_level=encrypt
The above setting is pointless, drop it.
Ahh. Yes. I think I understand. That is an stmp directive and this is
an smtpd process. And the TLS security level for that is specified
farther down as:
-o smtpd_tls_security_level=encrypt
I will move that to main.cf and change the value to may:
smtp_tls_security_level=may
-o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
An empty or nearly empty file is best here, all the CA DNs are sent
to the SMTP client, which does not need any of them.
I will try trimming those down to a minimum.
Some of the entries from main.cf are:
smtp_tls_policy_maps = hash:/usr/local/etc/postfix-config/tls_policy
transport_maps = hash:/usr/local/etc/postfix-config/transport
relay_clientcerts =
hash:/usr/local/etc/postfix-config/relay_clientcerts
smtpd_tls_fingerprint_digest=sha1
smtp_tls_fingerprint_digest=sha1
Consider enabling TLS session caching.
I was thinking about that last night, after watching all the messages
which are logged when smtpd_tls_loglevel=2. After adding TLS session
caching, the logged messages closely resemble the messages you see with
non-TLS comms (i.e. all the SSL_accept, Trusted TLS connection
established, etc message disappear).
Thank you for the suggestions. I appreciate it.
--
Dan Langille - http://langille.org/
