On Sat, Feb 20, 2016 at 08:32:31AM -0500, Wietse Venema wrote:
> > Creating a separate hash file with following content like below solved my
> > issue but doing the same for all domain will not be acceptable solution ...
>
> If you want to encrypt mail to all domains:
>
> /etc/postfix/main.cf
> smtp_tls_security_level = encrypt
>
> But I would not recommend this.
If the OP just wants to use TLS with domains that offer STARTTLS,
then:
smtp_tls_security_level = may
may be most appropriate. This does not prevent cleartext fallback
in case of trouble, but there are enough domains that advertise
non-working STARTTLS to make cleartext fallback the sensible choice
at present. Opportunistic TLS is a counter-measure to passive
monitoring, not active attacks.
--
Viktor.
