In message <3pgpvv0nvczj...@spike.porcupine.org> Wietse Venema writes: > Curtis Villamizar: > > What I'd like to do is set smtpd_tls_security_level back to "may" and > > then somehow set it to "none" if the EHLO domain is comcast.net (oops > > the secret is out). > > > > I see we have smtp_tls_policy_maps, but no smtpd_tls_policy_maps. > > Use this to suppress the STARTTLS announcement selectively: > > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps > > /etc/postfix/main.cf: > smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/ehlo-map.cidr > > /etc/postfix/ehlo-map.cidr: > # The provider here. > 192.168.1.0/24 starttls
Thanks. I should have asked sooner and saved a lot of time. Too bad it is IPs and CIDRs only but it'll work. > Or make your TLS server settings more tolerant. If the issue is my cert files, I'd rather wait for comcast to upgrade than regenerate select keys with weaker ciphers (just the two MTAs). Looks like "high" was not a problems if I'm reading the logs right. But I could tell for sure if I bump it down to medium. Just bumped up to smtpd_tls_loglevel = 3 so I might have better information soon. This is a light duty email server so load is not an issue. > (there's an analogous smtp_discard_ehlo_keyword_address_maps feature > for outbound delivery problems). > > Wietse Nothing at all secret or confidential being exchanged with the few comcast residential service users. (Or anyone else for that matter). So no big deal even of I set smtpd_tls_security_level to none. I'll gather more info for now and try to get through comcast support. I doubt there would be any new info relevant to this list. Curtis
