Yes is advicable to enable TLS. Whats is your OS and Postfix version?
For example, i use Debian. And when you want to use : ca-certificates.crt You need to setup as debian expects and it includes your cert in the ca-certifcate.crt, so thats why i want to know the os and version of postfix. ( debian/ubuntu setup ) Read: https://www.brightbox.com/blog/2014/03/04/add-cacert-ubuntu-debian/ Next to read postfix tls: http://www.postfix.org/TLS_README.html The setup for TLS can differ a bit compaired to versions 2.x and 3.x But this should be sufficient to start with. ## TLS smtpd_use_tls = yes smtpd_tls_key_file = /etc/postfix/newreq.pem smtpd_tls_cert_file = /etc/postfix/newcert.pem smtpd_tls_CAfile = /etc/postfix/cacert.pem smtpd_tls_loglevel = 3 smtpd_tls_received_header = yes smtpd_tls_session_cache_timeout = 3600s tls_random_source = dev:/dev/urandom And a test site for you. https://ssl-tools.net/mailservers and a nice site with stronger settings. https://cipherli.st/ Hope that this helps you a bit further. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: webmas...@lshipping.info [mailto:owner-postfix-us...@postfix.org] > Namens Den1 > Verzonden: woensdag 29 maart 2017 14:04 > Aan: postfix-users@postfix.org > Onderwerp: Re: Postfix cannot start tls: handshake failure > > I was wondering is it actually advisable to use tls on smtp? When I tried > it > out with my self-signed certificates just to see if it's of any > convenience > to implement this feature I received the following response: > > TLS required, but was not offered by host -or- we do not run TLS engine - > or- > certificate is not trusted > > on > > smtp_tls_security_level = encrypt -or- secure > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt > > when I tried the following: > > smtp_tls_security_level = may > smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt > > it simply went through without giving any "feedback" or warnings. My > understanding also is that it just wasn't secure / encrypted with this > 'may' > so that's why it went through OK. > > what about the rest of the settings of > > smtp_tls_cert_file = -and- > smtp_tls_key_file = > > are they not required? > > Could anyone comment on the above, please? Many thanks! > > > > > > -- > View this message in context: > http://postfix.1071664.n5.nabble.com/Postfix-cannot-start-tls-handshake- > failure-tp89684p89727.html > Sent from the Postfix Users mailing list archive at Nabble.com.
