> On Mar 13, 2018, at 10:53 AM, L.P.H. van Belle <be...@bazuin.nl> wrote:
> Yes, i've set smtpd_tls_ask_ccert to yes.

You almost certainly don't need this.

> Hmmm, i now also noticed i dont have Trusted or Verified anymore, this must 
> be a miss on my side after the switch from 2.10 to 3.1 postfix.

"Verified" is not possible with smtpd(8).  "Trusted" could happen when the 
certificate is signed by a trusted CA:


but, typically, you should not be requesting client certificates that
serve no purpose.

> I need ssl verification

Not for incoming traffic, there just supporting STARTTLS is all you need.

> smtpd_starttls_timeout = 300s

Don't duplicate default settings.

> smtpd_use_tls=yes
> smtpd_enforce_tls = no

These are obsolete

> smtpd_tls_ask_ccert = yes
> smtpd_tls_ccert_verifydepth = 2

You don't need these.  I see no evidence of any meaningful use of
client certs.  At least not on port 25 via main.cf.

> smtpd_tls_always_issue_session_ids = no

This is the default.

> smtpd_tls_received_header = yes

Second time this is set.

> smtpd_tls_CAfile = /etc/ssl/certs/Intermediate.cer

It is much better to have all the required intermediates in
your certfile, and leave this field empty.

> smtpd_tls_ciphers = high

This is unwise, the (default in supported releases) "medium" is better, see:


> smtpd_tls_exclude_ciphers = eNULL, aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, 

This too is unwise.  Remove this setting.

> # Enable EECDH key exchange for Forward Security
> smtpd_tls_eecdh_grade=ultra

With OpenSSL 1.0.2 or later and Postfix >= 3.2, you're far
better off with the default of "auto".



Reply via email to