>Matus UHLAR - fantomas:
>> does it make sense to run tlsproxy when post-220 tests are not run?
On 03.05.19 12:40, Wietse Venema wrote:
>tlsproxy is required when:
>
>- postscreen: always when the server announces STARTTLS.
>
>- smtp client: always when connection reuse for TLS is enabled.
>
>The postscreen built-in dummy SMTP server handles not only after-220
>tests, it also handles all clients that fail tests, so that postscreen
>can log helo, sender, and recipient information.
Matus UHLAR - fantomas:
and if tlsproxy is not enabled in master.cf, does postscreen skip offering
STARTTLS or produce error when client requests it?
On 09.05.19 07:10, Wietse Venema wrote:
Don't do that. Postfix usually reports errors when the sysadmin
does stupid things, but those unexpected code paths are not optimized
for performance (unlike the excpected code paths when users/spammers
do stupid things).
well, uncommented. Thanks.
Seems that I assumed too much, e.g. that since TLS isn't mandatory on SMTP
port, starttls and thus tlsproxy isn't important. Perhaps starttls could be
avoided by setting:
postscreen_discard_ehlo_keywords = starttls
/*
* Connect to the tlsproxy(8) daemon. We report all errors
* asynchronously, to avoid having to maintain multiple delivery paths.
*/
if ((fd = LOCAL_CONNECT(psc_tlsp_service, NON_BLOCKING, 1)) < 0) {
msg_warn("connect to %s service: %m", psc_tlsp_service);
PSC_SEND_REPLY(smtp_state,
"454 4.7.0 TLS not available due to local problem\r\n");
event_request_timer(resume_event, (void *) smtp_state, 0);
return;
}
This is the error in logs that made me ask about it.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
