On 4-Mar-2009, at 14:33, Jorey Bump wrote:
smtpd_tls_security_level should be used instead.
Not if you don't want to force TLS on the submission port it shouldn't.
On 4-Mar-2009, at 13:21, Brian Evans - Postfix List wrote:
*encrypt*
Mandatory TLS encryption: announce STARTTLS support to SMTP
clients,
and require that clients use TLS encryption. According to RFC 2487
<http://tools.ietf.org/html/rfc2487> this MUST NOT be applied in
case of a publicly-referenced SMTP server. Instead, this option
should be used only on dedicated servers.
This is wrong too (not he quote, but Brian's missaplication of it).
From RFC287
A publicly-referenced SMTP server MUST NOT require use of the
STARTTLS extension in order to deliver mail locally.
So far so good, but keep reading:
This rule prevents the STARTTLS extension from damaging the
interoperability of the Internet's SMTP infrastructure. ***A
publicly-referenced SMTP server is an SMTP server which runs on port
25 of an Internet host listed in the MX record (or A record if an MX
record is not present) for the domain name on the right hand side of
an Internet mail address***.
So that has nothing to do with the submission port.
--
When the routine bites hard / and ambitions are low
And the resentment rides high / but emotions won't grow
And we're changing our ways, / taking different roads
Then love, love will tear us apart again