micah anderson: > Wietse Venema <wie...@porcupine.org> writes: > > > micah anderson: > >> Eray Aslan <er...@a21an.org> writes: > >> > >> > On Wed, Dec 19, 2018 at 02:36:50PM -0500, Viktor Dukhovni wrote: > >> >> If there are no objections, I can change the default to "may" when > >> >> TLS is compiled in. > >> > > >> > No objections for setting smtp_tls_security_level. Thanks for your > >> > effort. > >> > >> I just wanted to circle back to this thread - it seems like nobody had > >> any objections to this change, and there were even proposed changes > >> sent, but I don't see that it ever got integrated? > > > > What was the idea: change the default when built with TLS support? > > That is right, change it to 'may', since it requires no certificates to > be generated. Because it will do opportunistic + fallback if things > don't work, it seems a harmless improvement. > > > Meanwhile, we should consider enabling smtp_tls_connection_reuse, > > too, otherwise the high-volume case can have an unexpected performance > > difference between plaintext deliveries and TLS (namely, one TCP > > handshake plus one TLS handshake per delivery). > > Good idea!
For that to work out of the box, we'd have to get rid of most global tls_mumble parameters and replace them with smtp_tls_mumble, so that tlsproxy can accurately proxy the Postfix SMTP client behavior. Wietse