Viktor Dukhovni <postfix-us...@dukhovni.org> writes: >> On Dec 6, 2017, at 1:41 PM, micah <mi...@riseup.net> wrote: >> >>>> main.cf >>>> smtpd_tls_security_level = may >> >> Is there a reason why 'smtpd_tls_security_level = may' is not default in >> postfix? What needs to be done to make it default? It seems harmless to >> have that enabled by default, with no negative effects that I can decern >> and improves the overall opportunistic landscape if it were >> default. > > Someone has to decide what sort of certificate is appropriate for the > domain. That decision requires some administrator oversight. Therefore, > it is something that a package installer can prompt for. And some OS > distributions of Postfix do in fact enable inbound TLS IIRC.
I'm sorry, I meant 'smtp_tls_security_level = may' - not smtpd_tls_security_level. You are correct that smtpd_tls_security_level would need a certificate, but 'smtp_tls_security_level' does not, and as an opportunistic mode, it is designed to fall back to cleartext, so I do not see any problem with it being the default.
