On Fri, Feb 21, 2025 at 11:46:16AM +0100, Florian Piekert wrote:
> Understanding correctly, what I defined in the smtp_tls_policy_maps has what
> function then?
> https://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
> I tell pf to send mail for this domain via "secure"d TLS to - probably - the
> MXs responsible for the domain, right?
> No. Since MX dns requests will not be performed.
Well, as documented the Postfix "secure" TLS level implements a
certificate verification policy that is not subject to active attacks on
generally unsigned MX records.
https://www.postfix.org/postconf.5.html#smtp_tls_secure_cert_match
> And since I do not have a MTA-STS plugin yet, whatever policy exists
> is irrelevant at this moment, since it is not "visible" to pf anyway
> (due to lack of plugin).
That is, your MTA-STS policy is irrelevant. Your TLS policy table
however is quite crucial. What you probably "want" is:
# IIRC match is cumulative if specified multiple times.
# Check the docs...
#
example.com secure
match=mx1.example.com
match=mx2.example.net
match=mx3.example.com
> But follow up, WHY is secure failing - since the certs can be verified
> OK.
Because MX hosts obtained from unsigned DNS are not at all "secure".
> What is then the expectation of pf for the cert?
Whatever you specified as the list "match" names, which defaults to
$smtp_tls_secure_cert_match.
> Apparently not the MX hostname?
This is documented. I'd like to suggest reading the docs.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
