smtpd_tls_security_level
<http://www.postfix.org/postconf.5.html#smtpd_tls_security_level> =
may
With this, the Postfix SMTP server announces STARTTLS support to remote
SMTP clients, but does not require that clients use TLS encryption.
Looks like there is plain text still enabled in your system?
Eero
On Thu, Jan 2, 2020 at 8:11 PM James B. Byrne <byrn...@harte-lyne.ca> wrote:
> The following are the settings in main.cf that have been changed
> followed by the commented (#) default values:
>
> postconf mail_version
> mail_version = 3.3.4
>
> postconf -n | grep smtp | grep tls
>
> smtp_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
> #smtp_tls_CAfile =
>
> smtp_tls_cert_file =
> /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
> #smtp_tls_cert_file =
>
> smtp_tls_ciphers = high
> #smtp_tls_ciphers = medium
>
> smtp_tls_exclude_ciphers = MD5, aDSS, SRP, PSK, aECDH, aDH, SEED,
> IDEA, RC2,\ RC4, RC5, DES, 3DES #smtp_tls_exclude_ciphers =
>
> smtp_tls_key_file = /usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
> #smtp_tls_key_file = $smtp_tls_cert_file
>
> smtp_tls_mandatory_ciphers = high
> #smtp_tls_mandatory_ciphers = medium
>
> smtp_tls_mandatory_protocols = TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1,
> !SSLv3, !SSLv2
> #smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
>
> smtp_tls_protocols = TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv3,
> !SSLv2 #smtp_tls_protocols = !SSLv2, !SSLv3
>
> smtp_tls_security_level = dane
> #smtp_tls_security_level =
>
> smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_scache
> #smtp_tls_session_cache_database =
>
> smtp_tls_session_cache_timeout = 3600s
> #smtp_tls_session_cache_timeout = 3600s
>
> smtpd_starttls_timeout = ${stress?10}${stress:120}s
> #smtpd_starttls_timeout = ${stress?{10}:{300}}s
>
> smtpd_tls_CAfile = /usr/local/etc/pki/tls/certs/ca-bundle.crt
> #smtpd_tls_CAfile =
>
> smtpd_tls_ask_ccert = no
> #smtpd_tls_ask_ccert = no
>
> smtpd_tls_auth_only = yes
> #smtpd_tls_auth_only = no
>
> smtpd_tls_cert_file = /usr/local/etc/pki/tls/certs/ca.harte-lyne.mx31.crt
> #smtpd_tls_cert_file =
>
> smtpd_tls_ciphers = high
> #smtpd_tls_ciphers = medium
>
> smtpd_tls_dh1024_param_file = ${config_directory}/dh2048.pem
> #smtpd_tls_dh1024_param_file =
>
> smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK,
> aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA
> #smtpd_tls_exclude_ciphers =
>
> smtpd_tls_fingerprint_digest = sha256
> #smtpd_tls_fingerprint_digest = md5
>
> smtpd_tls_key_file =
> /usr/local/etc/pki/tls/private/ca.harte-lyne.mx31.key
> #smtpd_tls_key_file = $smtpd_tls_cert_file
>
> smtpd_tls_mandatory_ciphers = high
> #smtpd_tls_mandatory_ciphers = medium
>
> smtpd_tls_mandatory_protocols = TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1,
> !SSLv3, !SSLv2
> #smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
>
> smtpd_tls_protocols = TLSv1.3, TLSv1.2, !TLSv1.1, !TLSv1, !SSLv3, !SSLv2
> #smtpd_tls_protocols = !SSLv2, !SSLv3
>
> smtpd_tls_received_header = yes
> #smtpd_tls_received_header = no
>
> smtpd_tls_security_level = may
> #smtpd_tls_security_level =
>
> smtpd_tls_session_cache_database = btree:/var/db/postfix/smtpd_scache
> #smtpd_tls_session_cache_database =
>
> smtpd_tls_session_cache_timeout = 3600s
> #smtpd_tls_session_cache_timeout = 3600s
>
>
> --
> *** e-Mail is NOT a SECURE channel ***
> Do NOT transmit sensitive data via e-Mail
> Do NOT open attachments nor follow links sent by e-Mail
>
> James B. Byrne mailto:byrn...@harte-lyne.ca
> Harte & Lyne Limited http://www.harte-lyne.ca
> 9 Brockley Drive vox: +1 905 561 1241
> Hamilton, Ontario fax: +1 905 561 0757
> Canada L8E 3C3
>
>
