-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Postfix config misses smtp_* parameters and includes several default settings #114
Comments
I agree. I just updated my configuration and was wondering why the |
Regarding cipher selectionI would imagine that
If you choose to restrict the ciphers that could be used, the fallback thus is to continue the connection and deliver without any encryption. For connections to a relay host like SendGrid you may prefer to set the security level to
Note:
It's ok to be explicit with security settings that are still the defaults. A user may be applying the suggested config to an already configured instance where these may have been configured differently by mistake or intentionally. IIRC:
While mandatory ciphers is set to The config only focuses on
|
Take this generated config: https://ssl-config.mozilla.org/#server=postfix&version=3.5.6&config=intermediate&openssl=1.1.1g&guideline=5.6
The following values are already Postfix defaults:
I've checked the Postfix documentation and
postconf -d
output on Fedora 32.Then there are some settings for when doing mandatory TLS, i.e.
although mandatory TLS isn't configured - cf. the
smtpd_tls_security_level = may
line which configures opportunistic TLS. Thus, those options aren't effective here.On the other hand, the sister options for opportunistic TLS are missing, i.e. this one is missing:
Also, the generated config only includes
smtpd_*
options and nosmtp_*
variants. Note that opportunistic TLS also makes sense when the mail server is sending mail, i.e. e.g. when SMTP relaying mail to a destination server. Thus, the config is missing at least the following smtp options:The text was updated successfully, but these errors were encountered: