[pfx] Re: smtp_tls_security_level defaults question

2025-06-23 Thread Wietse Venema via Postfix-users
I'm simplifying the implementation. If built with TLS the SMTP client default is: smtp_tls_security_level = may With compatibility_level < 3.11, the Postfix SMTP client will log: postfix/smtp[...] using backwards-compatible default setting smtp_tls_security_level=(empty) This ma

[pfx] Re: smtp_tls_security_level defaults question

2025-06-23 Thread Geert Hendrickx via Postfix-users
On Mon, Jun 23, 2025 at 13:24:49 -0400, Wietse Venema via Postfix-users wrote: > Conclusion: there is no benefit from to changing the SMTP server default > TLS level. I agree. The server-side TLS cannot work without some external process to generate and configure the certificate(s), so it can ju

[pfx] Re: smtp_tls_security_level defaults question

2025-06-09 Thread Wietse Venema via Postfix-users
Viktor Dukhovni via Postfix-users: > On Sun, Jun 08, 2025 at 07:29:22PM +0200, Geert Hendrickx via Postfix-users > wrote: > > On Mon, Jun 09, 2025 at 00:42:20 +1000, Viktor Dukhovni via Postfix-users > > wrote: > > > On Sun, Jun 08, 2025 at 09:29:17AM -0400, Wietse Venema via Postfix-users > > >

[pfx] Re: smtp_tls_security_level defaults question

2025-06-08 Thread Viktor Dukhovni via Postfix-users
On Sun, Jun 08, 2025 at 07:29:22PM +0200, Geert Hendrickx via Postfix-users wrote: > On Mon, Jun 09, 2025 at 00:42:20 +1000, Viktor Dukhovni via Postfix-users > wrote: > > On Sun, Jun 08, 2025 at 09:29:17AM -0400, Wietse Venema via Postfix-users > > wrote: > > > > > > Can the default be decided

[pfx] Re: smtp_tls_security_level defaults question

2025-06-08 Thread Geert Hendrickx via Postfix-users
On Mon, Jun 09, 2025 at 00:42:20 +1000, Viktor Dukhovni via Postfix-users wrote: > On Sun, Jun 08, 2025 at 09:29:17AM -0400, Wietse Venema via Postfix-users > wrote: > > > > Can the default be decided at build-time (#ifdef), instead of with > > > run-time conditional configuration? > > > > That

[pfx] Re: smtp_tls_security_level defaults question

2025-06-08 Thread Viktor Dukhovni via Postfix-users
On Sun, Jun 08, 2025 at 09:29:17AM -0400, Wietse Venema via Postfix-users wrote: > > Can the default be decided at build-time (#ifdef), instead of with > > run-time conditional configuration? > > That would result in an incompatible change for systems that are > not explicitly configured to enabl

[pfx] Re: smtp_tls_security_level defaults question

2025-06-08 Thread Wietse Venema via Postfix-users
Geert Hendrickx via Postfix-users: > On Sat, Jun 07, 2025 at 18:51:21 -0400, Wietse Venema via Postfix-users wrote: > > > > For the Postfix SMTP client the new default would look like: > > > > > > > > smtp_tls_security_level = > > > > ${{$compatibility_level} >=level {3.10}? > > > >

[pfx] Re: smtp_tls_security_level defaults question

2025-06-08 Thread Geert Hendrickx via Postfix-users
On Sat, Jun 07, 2025 at 18:51:21 -0400, Wietse Venema via Postfix-users wrote: > > > For the Postfix SMTP client the new default would look like: > > > > > > smtp_tls_security_level = > > > ${{$compatibility_level} >=level {3.10}? > > > {${built_with_tls ? {may > > > >

[pfx] Re: smtp_tls_security_level defaults question

2025-06-07 Thread Wietse Venema via Postfix-users
Geert Hendrickx via Postfix-users: > On Thu, Oct 24, 2024 at 11:33:22 -0400, Wietse Venema via Postfix-users wrote: > > The compatibility-level guard is a good idea. To take out some of the > > guesswork, I'm considering to add a read-only configuration parameter > > that indicates whether Postfix

[pfx] Re: smtp_tls_security_level defaults question

2025-06-07 Thread Geert Hendrickx via Postfix-users
On Thu, Oct 24, 2024 at 11:33:22 -0400, Wietse Venema via Postfix-users wrote: > The compatibility-level guard is a good idea. To take out some of the > guesswork, I'm considering to add a read-only configuration parameter > that indicates whether Postfix is built with TLS support. > > For the Pos

[pfx] Re: smtp_tls_security_level defaults question

2024-10-25 Thread Eugene R via Postfix-users
Hello, On 24.10.2024 08:24, Viktor Dukhovni via Postfix-users wrote: Yes, of course, as documented. TLS is off by default, this is backwards-compatible behaviour, and Postfix aims to not "surprise" operators with unexpected new behaviour after an upgrade. Default settings are in part also the

[pfx] Re: smtp_tls_security_level defaults question

2024-10-24 Thread Wietse Venema via Postfix-users
Geert Hendrickx: > On Thu, Oct 24, 2024 at 11:33:22 -0400, Wietse Venema via Postfix-users wrote: > > And for the Postfix SMTP server, this would add two guards > > to Viktor's example: > > > > smtpd_tls_security_level = > > ${{$compatibility_level} >=level {3.10} ? > > {${

[pfx] Re: smtp_tls_security_level defaults question

2024-10-24 Thread Geert Hendrickx via Postfix-users
On Thu, Oct 24, 2024 at 11:33:22 -0400, Wietse Venema via Postfix-users wrote: > And for the Postfix SMTP server, this would add two guards > to Viktor's example: > > smtpd_tls_security_level = > ${{$compatibility_level} >=level {3.10} ? > {${built_with_tls ? >

[pfx] Re: smtp_tls_security_level defaults question

2024-10-24 Thread Wietse Venema via Postfix-users
Viktor Dukhovni via Postfix-users: > Meanwhile, on the server side we could set: > > # Default to "may" when a cert file is configured. > # > smtpd_tls_security_level = > ${smtpd_tls_chain_files ? {may} : > {${smtpd_tls_cert_file ? {may} : > {${smtpd_tls_

[pfx] Re: smtp_tls_security_level defaults question

2024-10-24 Thread Viktor Dukhovni via Postfix-users
On Thu, Oct 24, 2024 at 01:24:07PM +0300, Eugene R via Postfix-users wrote: > On 24.10.2024 08:24, Viktor Dukhovni via Postfix-users wrote: > > Yes, of course, as documented. TLS is off by default, this is > > backwards-compatible behaviour, and Postfix aims to not "surprise" > > operators with u

[pfx] Re: smtp_tls_security_level defaults question

2024-10-24 Thread Geert Hendrickx via Postfix-users
On Thu, Oct 24, 2024 at 16:24:04 +1100, Viktor Dukhovni via Postfix-users wrote: > Yes, of course, as documented. TLS is off by default, this is backwards- > compatible behaviour, and Postfix aims to not "surprise" operators with > unexpected new behaviour after an upgrade. This could be enabled

[pfx] Re: smtp_tls_security_level defaults question

2024-10-23 Thread Jaroslaw Rafa via Postfix-users
Something bad happened to the list (?), as your message seems to be repeated multiple times, with Chinese characters prepended to the subject and list footer appended to the body multiple times. -- Regards, Jaroslaw Rafa r...@rafa.eu.org -- "In a million years, when kids go to school, they'r

[pfx] Re: smtp_tls_security_level defaults question

2024-10-23 Thread Viktor Dukhovni via Postfix-users
On Thu, Oct 24, 2024 at 06:34:16AM +0800, Wesley via Postfix-users wrote: > $ postconf -d smtp_use_tls smtp_tls_security_level > smtp_use_tls = no > smtp_tls_security_level = > > Under these defaults, I am afraid if I don't setup them, Postfix will > always talk to peer with plaintext, even peer

[pfx] Re: smtp_tls_security_level defaults question

2024-10-23 Thread Wesley via Postfix-users
And please see the following defaults, root@mail:~# postconf -d smtp_use_tls smtp_use_tls = no root@mail:~# postconf -d smtp_tls_security_level smtp_tls_security_level = under these defaults, I am afraid if I don't setup them, postfix will always talk to peer with plaintext, even peer supports

[pfx] Re: smtp_tls_security_level defaults question

2024-10-23 Thread Viktor Dukhovni via Postfix-users
On Wed, Oct 23, 2024 at 07:15:31PM +0800, Wesley via Postfix-users wrote: > please see this default value, > > # postconf -d smtp_tls_security_level > smtp_tls_security_level = The default value maintains backwards-compatibility with Postfix ~2.2 when TLS support was first merged into Postfix ba

[pfx] Re: smtp_tls_security_level defaults question

2024-10-23 Thread Markus Schönhaber via Postfix-users
23.10.24, 13:15 +0200, Wesley via Postfix-users: > please see this default value, > > # postconf -d smtp_tls_security_level smtp_tls_security_level = > > does this mean if using the default value, postfix will deliver > messages to peer MTA without using ssl/tls always, even the peer > supports