Viktor Dukhovni: > On Sat, Feb 20, 2016 at 08:32:31AM -0500, Wietse Venema wrote: > > > > Creating a separate hash file with following content like below solved my > > > issue but doing the same for all domain will not be acceptable solution > > > ... > > > > If you want to encrypt mail to all domains: > > > > /etc/postfix/main.cf > > smtp_tls_security_level = encrypt > > > > But I would not recommend this. > > If the OP just wants to use TLS with domains that offer STARTTLS, > then: > > smtp_tls_security_level = may > > may be most appropriate. This does not prevent cleartext fallback > in case of trouble, but there are enough domains that advertise > non-working STARTTLS to make cleartext fallback the sensible choice > at present. Opportunistic TLS is a counter-measure to passive > monitoring, not active attacks.
The fanatics can disable fallback to plaintext with the example in http://www.postfix.org/postconf.5.html#default_delivery_status_filter (available in Postfix 3.0 and later). Wietse
