Herbert J. Skuhra via Postfix-users: > On Mon, 28 Jan 2019 13:59:23 +0100, Stefan Bauer wrote: > > > > Hi, > > > > we would like to go the next step, enable smtp_tls_security_level = dane. > > Currently we have encrypt site-wide. > > > > But in cases where remote sites do not have published key material, the > > fallback is may with dane, which is a step back in terms of security and > > not wanted.
Encryption without authentication is not 'security'. It just gives some privacy. > Is this possible by now? :-) > > I guess not, after reading > https://www.postfix.org/postconf.5.html#smtp_tls_security_level. To enable DANE and STS, consider using https://github.com/Zuplu/postfix-tlspol Then, you should be able to set smtp_tls_security_level=encrypt in main.cf. But that would make 'no TLS' a hard error without trying alternate MX hosts. To avoid that, use the smtp_dsn_filter example in https://www.postfix.org/postconf.5.html#default_delivery_status_filter Wietse _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
