On Mon, Oct 14, 2013 at 08:12:01AM -0400, Dan Langille wrote:
> The master.cf has something like this:
>
> 64.147.113.42:5587 inet n - n - - smtpd
> -o smtp_tls_security_level=encrypt
The above setting is pointless, drop it.
> -o smtpd_tls_CAfile=/usr/local/etc/ssl/ca-bundle.crt
An empty or nearly empty file is best here, all the CA DNs are sent
to the SMTP client, which does not need any of them.
> Some of the entries from main.cf are:
>
> smtp_tls_policy_maps = hash:/usr/local/etc/postfix-config/tls_policy
> transport_maps = hash:/usr/local/etc/postfix-config/transport
> relay_clientcerts = hash:/usr/local/etc/postfix-config/relay_clientcerts
> smtpd_tls_fingerprint_digest=sha1
> smtp_tls_fingerprint_digest=sha1
Consider enabling TLS session caching.
--
Viktor.
