On Fri, Nov 12, 2021 at 03:47:22PM -0600, Tyler Montney wrote:
> In my effort to be a little less flexible (to get more encryption), it
> seems I'll do the opposite. I'll change that. Speaking of which...
>
> smtp_tls_mandatory_protocols
Applies when sending mail to destinations for which TLS is mandatory,
i.e. the effective security level is "encrypt" or higher. With "dane"
that means that the remote MX host is actually in a DNSSEC-signed zone
and has TLSA records, otherwise "dane" gracefully degrades to "may".
> smtp_tls_protocol
Applies when the security level is "may", or "dane" and the MX host
is not in a signed zone and/or does not have TLSA records.
The "smtpd_" analogues are similar, "mandatory" is for submission where
you'd typically set the security level to "encrypt".
--
Viktor.
