> On Mar 13, 2018, at 10:53 AM, L.P.H. van Belle <be...@bazuin.nl> wrote:
> Yes, i've set smtpd_tls_ask_ccert to yes.
You almost certainly don't need this.
> Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must
> be a miss on my side after the switch from 2.10 to 3.1 postfix.
"Verified" is not possible with smtpd(8). "Trusted" could happen when the
certificate is signed by a trusted CA:
but, typically, you should not be requesting client certificates that
serve no purpose.
> I need ssl verification
Not for incoming traffic, there just supporting STARTTLS is all you need.
> smtpd_starttls_timeout = 300s
Don't duplicate default settings.
> smtpd_enforce_tls = no
These are obsolete
> smtpd_tls_ask_ccert = yes
> smtpd_tls_ccert_verifydepth = 2
You don't need these. I see no evidence of any meaningful use of
client certs. At least not on port 25 via main.cf.
> smtpd_tls_always_issue_session_ids = no
This is the default.
> smtpd_tls_received_header = yes
Second time this is set.
> smtpd_tls_CAfile = /etc/ssl/certs/Intermediate.cer
It is much better to have all the required intermediates in
your certfile, and leave this field empty.
> smtpd_tls_ciphers = high
This is unwise, the (default in supported releases) "medium" is better, see:
> smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5,
> DSS, ECDSA, CAMELLIA128, CAMELLIA256, 3DES
This too is unwise. Remove this setting.
> # Enable EECDH key exchange for Forward Security
With OpenSSL 1.0.2 or later and Postfix >= 3.2, you're far
better off with the default of "auto".