Hi! If you use postfix-tlspol, you can set `smtp_tls_security_level = encrypt` as default. The socketmap will return dane-only or secure for DANE and MTA-STS respectively. Opportunistic DANE (dane) will only be returned if an (external) MX server supports DANE, but the original domain is not signed. Even in this rare case, the effective fallback will be mandatory unauthenticated TLS (encrypt) if DANE fails because of unsupported parameters, because Postfix equates the mere existence of TLSA records as TLS requirement.
Ömer > Am 05.03.2025 um 12:32 schrieb Herbert J. Skuhra via Postfix-users > <postfix-users@postfix.org>: > > On Mon, 28 Jan 2019 13:59:23 +0100, Stefan Bauer wrote: >> >> Hi, >> >> we would like to go the next step, enable smtp_tls_security_level = dane. >> Currently we have encrypt site-wide. >> >> But in cases where remote sites do not have published key material, the >> fallback is may with dane, which is a step back in terms of security and >> not wanted. > > Is this possible by now? :-) > > I guess not, after reading > https://www.postfix.org/postconf.5.html#smtp_tls_security_level. > > Thanks, > Herbert > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
