On 08 Feb 2021, at 06:20, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > On 31.01.21 09:56, Daniel Armando Rodriguez wrote: >> Indeed, it was running chrooted but resolv.conf has the same content
> === # postconf -nf >> smtp_tls_protocols = TLSv1.2, !TLSv1.1, !TLSv1, !SSLv2, !SSLv3 > > this is superflous and not a good idea. Many servers support TLS1.0 max. > !SSLv2, !SSLv3 should be enough for now. Both TLSv1 and TLSv1.1 are end-of-life, so it is reasonable as no servers should be supporting. Now, is it needed? That's another question. There are no servers that connected to me today with TLSv1 or TLSv1.1. Looking over the last few days, I see connections rom servers I do not accept mail from, so it looks to me based on my logs that I could easily reject TLSv1 or TLSv1.1 without missing a single mail. YMMV. >> smtp_tls_security_level = verify > smtp, by default, is plaintext, and encryption is not fully standard, so you > disable sending mail to part of internet. smtp_tls_security_level = may Is the correct setting. "Verify" should only be used when your server talks only to specific servers that you know are encrypted and want to ensure the communication to those are encrypted. -- Don't kink-shame!
