On 1 Aug 2018, at 11:59, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: >> status=deferred (TLS is required, but was not offered by host > > Here, the "level" is "none". The remote site did not support STARTTLS.
Ah. Yes, that makes sense, it just didn't occur to me a server in 2018 would do that, I figured it just had crappy security levels. Thanks. >> smtp_tls_security_level = encrypt > > The last of these is too strict as a default for all domains. Yes, probably, but on the other hand, two servers in the last week, and one of those is a 'web board reply" discourse email, and those are janky at the best of times anyway. > The sensible settings are either "may", or if you have a local (loopback) > validating resolver, "dane" (see TLS_README for details). > >> tls_preempt_cipherlist = yes >> tls_ssl_options = no_ticket, no_compression > > Why do you disable session tickets? There was a reason, I think. But most of these settings have been there for years, so I should revise that. I want to say it was a recommendation from dovecot list? (I last modified main.conf when I moved to postfix 3.x. <adds it to the list> -- Silence filled the University in the same way that air fills a hole. Night spread across the Disk like plum jam, or possibly blackberry preserve. But there would be a morning. There would always be another morning. --Sourcery