On Sat, Feb 20, 2016 at 08:32:31AM -0500, Wietse Venema wrote: > > Creating a separate hash file with following content like below solved my > > issue but doing the same for all domain will not be acceptable solution ... > > If you want to encrypt mail to all domains: > > /etc/postfix/main.cf > smtp_tls_security_level = encrypt > > But I would not recommend this.
If the OP just wants to use TLS with domains that offer STARTTLS, then: smtp_tls_security_level = may may be most appropriate. This does not prevent cleartext fallback in case of trouble, but there are enough domains that advertise non-working STARTTLS to make cleartext fallback the sensible choice at present. Opportunistic TLS is a counter-measure to passive monitoring, not active attacks. -- Viktor.