Interesting approach if i correctly understood what you do: You are running STARTTLS, basically accepting unencrypted connections but with "warn_if_reject reject_plaintext_session" you are rejecting unencrypted sessions once data transfer is about to start? Which is expected to generate the same outcome as "smtpd_tls_security_level = encrypt" with the benefit of getting this extra log line for more convenient monitoring?
Mark -----Ursprüngliche Nachricht----- Von: Geert Hendrickx via Postfix-users [mailto:postfix-users@postfix.org] Gesendet: Sonntag, 8. September 2024 18:31 An: postfix-users@postfix.org Betreff: [pfx] Re: struggling with smtpd_tls_security_level = encrypt - 5.7.0 Must issue a STARTTLS command first On Mon, Sep 09, 2024 at 00:17:08 +1000, Viktor Dukhovni via Postfix-users wrote: > And of course, I'd negligent to not mention that I don't recommend a hard > requirement of TLS on port 25, you may one day reject some important mail > and not even know it, and if STARTTLS stops working, you may be rejecting > all mail until it is fixed. I'm running with "warn_if_reject reject_plaintext_session" as the very last smtpd_data_restrictions to get one-line logging of (otherwise successful) unencrypted mail. It's indeed 99% junk, but still some important enough legit plaintext e-mail every now and then. I ended up putting "reject_plaintext_session" in recipient_access for some less important forwarder domains where it doesn't do real harm, but blocks a lot of spam that I don't need to filter anymore. Geert _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
