On Mon, Jun 08, 2015 at 04:35:01PM +0100, Andrew Beverley wrote:
> Given that SASL authentication over TLS is becoming more prevalent, I
> think it would be worth adding a small note to this section:
>
> http://www.postfix.org/SOHO_README.html#client_sasl_enable
>
> stating that "smtp_use_tls = yes" is needed in such cases, plus the
> required smtp settings as detailed in
>
> http://www.postfix.org/TLS_README.html
Note that "smtp_use_tls = yes" is obsolete, the preferred interface
is:
http://www.postfix.org/postconf.5.html#smtp_tls_security_level
And/or its per-destination variant:
http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps
For a submission nullclient:
relayhost = [smtp.example.net]:587
smtp_tls_security_level = secure
# don't preload any CA certs.
# instead read the relevant cert at handshake time
#
smtp_tls_CAfile =
smtp_tls_CApath = ... system dependent path of "hashed" directory ...
or if the root CA signing the relayhost certificate is sufficiently stable:
# Preload one or more preferred CAs, don't use kitchen-sink
# "hashed" directory bundle.
#
smtp_tls_CApath =
smtp_tls_CAfile = ${config_directory}/trusted-relay-CAs.pem
--
Viktor.
