micah anderson:
> Wietse Venema <wie...@porcupine.org> writes:
>
> > micah anderson:
> >> Eray Aslan <er...@a21an.org> writes:
> >>
> >> > On Wed, Dec 19, 2018 at 02:36:50PM -0500, Viktor Dukhovni wrote:
> >> >> If there are no objections, I can change the default to "may" when
> >> >> TLS is compiled in.
> >> >
> >> > No objections for setting smtp_tls_security_level. Thanks for your
> >> > effort.
> >>
> >> I just wanted to circle back to this thread - it seems like nobody had
> >> any objections to this change, and there were even proposed changes
> >> sent, but I don't see that it ever got integrated?
> >
> > What was the idea: change the default when built with TLS support?
>
> That is right, change it to 'may', since it requires no certificates to
> be generated. Because it will do opportunistic + fallback if things
> don't work, it seems a harmless improvement.
>
> > Meanwhile, we should consider enabling smtp_tls_connection_reuse,
> > too, otherwise the high-volume case can have an unexpected performance
> > difference between plaintext deliveries and TLS (namely, one TCP
> > handshake plus one TLS handshake per delivery).
>
> Good idea!
For that to work out of the box, we'd have to get rid of most global
tls_mumble parameters and replace them with smtp_tls_mumble, so
that tlsproxy can accurately proxy the Postfix SMTP client behavior.
Wietse
