>> smtpd_use_tls = yes > > This is obsolete. The non-obsolete syntax is:
Thanks for the hint, this seems to have survived some old configs of mine. I appreciate that postfix does not try to break configuration throughout the years. >> smtpd_tls_CAfile = /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem >> >> - this is used when postfix needs to verify connections to other hosts > > No, that's would be what 'smtp_tls_CAfile' is for, the "smtpd" version > is for verifying incoming *client* certificates, which is not widely > used. But even 'smtp_tls_CAfile' is only useful if one is actually > authenticating some remote destinations, not just doing opportunistic > unauthenticated TLS. Otherwise, no CAfile is needed in either > direction. Sorry for not expressing myself correctly. I wrote this in context of smtpd_tls_*, not for postfix as a smtp client. What I wanted to point out is that you don't have to put any certificates into smtpd_tls_CAfile that you obtain when requesting e.g. a Let's Encrypt certificate. It's just a bundle of certification authority public certificates that can be used to verify if a presented certificate is signed correctly and the chain of trust is valid. With "*_tls_security_level = may" connections will be established, no matter if verification succeeds. Still some might find it useful when postfix logs "Trusted TLS connection established ..." for outgoing connections (now postfix as smtp client). > Also leave "smtpd_sasl_auth_enable = no" by default, and > only enable it via master.cf for the submission services. I agree, this would be better for new servers. In my case the server is running for a long time where it was common to authenticate on port 25. Therefore sasl auth has been disabled in master.cf for smtpd service (-o smtpd_sasl_auth_enable=no). Best regards Gerald
