> On Jul 6, 2017, at 7:03 AM, Bastien Durel <[email protected]> wrote:
>
> I have a setup where a MTA will forward mail to another node, based on ldap
> configuration.
> It works well, but it uses ADH
>
> Received: from corrin.geekwu.org (unknown [87.98.180.13])
> (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
> (No client certificate requested)
> by arrakeen.geekwu.org (Postfix) with ESMTPS id A96DF6C07D
> for <[email protected]>; Thu, 6 Jul 2017 01:52:53 +0200 (CEST)
>
> I know I should not disable ADH on public interface, but I'd like to prevent
> it on "private" interface (intra-cluster only), as "cluster" nodes does
> communicate over Internet.
SMTP transport security policy is largely up to the client, not the
server. See
http://www.postfix.org/TLS_README.html#client_tls_limits
http://www.postfix.org/TLS_README.html#client_tls_levels
The reason ADH is used, is that the client is not bothering to authenticate
the server, and so does not bother to ask for a certificate it will anyhow
ignore. If you want secure transport, you need to set the client TLS
security level to "secure", "fingerprint", "dane" or "dane-only".
http://www.postfix.org/TLS_README.html#client_tls_secure
http://www.postfix.org/TLS_README.html#client_tls_fprint
http://www.postfix.org/TLS_README.html#client_tls_dane
--
Viktor.
