Viktor Dukhovni via Postfix-users:
> Meanwhile, on the server side we could set:
>
> # Default to "may" when a cert file is configured.
> #
> smtpd_tls_security_level =
> ${smtpd_tls_chain_files ? {may} :
> {${smtpd_tls_cert_file ? {may} :
> {${smtpd_tls_eccert_file ? {may} :
> {${smtpd_tls_dcert_file ? {may}}}}}}}}
>
> Possibly with a top-level compatibility-level guard.
The compatibility-level guard is a good idea. To take out some of
the guesswork, I'm considering to add a read-only configuration
parameter that indicates whether Postfix is built with TLS support.
For the Postfix SMTP client the new default would look like:
smtp_tls_security_level =
${{$compatibility_level} >=level {3.10}?
{${built_with_tls ? {may}}}}
And for the Postfix SMTP server, this would add two guards
to Viktor's example:
smtpd_tls_security_level =
${{$compatibility_level} >=level {3.10} ?
{${built_with_tls ?
{${smtpd_tls_chain_files ? {may} :
{${smtpd_tls_cert_file ? {may} :
{${smtpd_tls_eccert_file ? {may} :
{${smtpd_tls_dcert_file ? {may}}}}}}}}}}}}
Configuration like this is ugly, and is acceptable only for
compiled-in default settings.
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
