I'm simplifying the implementation. If built with TLS the SMTP
client default is:
smtp_tls_security_level = may
With compatibility_level < 3.11, the Postfix SMTP client will log:
postfix/smtp[...] using backwards-compatible default setting
smtp_tls_security_level=(empty)
This makes "TLS by default" easy for the Postfix SMTP client.
For the Postfix SMTP server, the situation is more complicated.
There, TLS can be turned on only if at least one private key and
certificate are configured. I simplified the configuration example
discussed in this thread to:
smtpd_tls_security_level =
${smtpd_tls_chain_files ? {may} : {
${smtpd_tls_cert_file ? {may} : {
${smtpd_tls_eccert_file ? {may} : {
${smtpd_tls_dcert_file ? {may}} }} }} }}
With compatibility_level < 3.11 logging:
postfix/smtpd[...] using backwards-compatible default setting
smtpd_tls_security_level=(empty)
"TLS by default" requires that Postfix installation procedures
generate a private key and cert by default (if those do not already
exist). An example is the command "postfix-tls enable-server" which
also sets "smtpd_tls_security_level = may" in main.cf.
Conclusion: there is no benefit from to changing the SMTP server
default TLS level.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
