From 361ccefd9a60b86d29b945d38c2af08993b6cdab Mon Sep 17 00:00:00 2001 From: root Date: Thu, 26 Sep 2024 17:44:21 +0200 Subject: [PATCH] install_postfix_advanced.sh: adjust defaulr 'main.cf' file. --- install_postfix_advanced.sh | 113 +++++++++++++++++++++++++++++++----- 1 file changed, 100 insertions(+), 13 deletions(-) diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index 001d73a..0dd06ed 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -1813,25 +1813,112 @@ smtp_dns_support_level = dnssec ## - Aktiviert TLS für den Mailempfang ## - -## - may: -## - Opportunistic TLS. Use TLS if this is supported by the remote -## - SMTP server, otherwise use plaintext -## - -## - This overrides the obsolete parameters smtpd_use_tls and -## - smtpd_enforce_tls. This parameter is ignored with -## - "smtpd_tls_wrappermode = yes". -#smtpd_use_tls=yes + +# By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix +# is visible. Explicitly switch it on using "smtpd_use_tls = yes". +# +# Example: +# +# /etc/postfix/main.cf: +# smtpd_use_tls = yes +# +# With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but does +# not require that clients use TLS encryption. +# +smtpd_use_tls=yes + + +# The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is +# specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls. +# This parameter is ignored with "smtpd_tls_wrappermode = yes". +# +# Specify one of the following security levels: +# +# none +# TLS will not be used. +# +# may +# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not +# require that clients use TLS encryption. +# +# encrypt +# Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and +# reject all plaintext commands except HELO, EHLO, XCLIENT, STARTTLS, NOOP, QUIT, +# and (Postfix ≥ 3.9) HELP. According to RFC 2487 this MUST NOT be applied in case +# of a publicly-referenced SMTP server. Instead, this should be used on dedicated +# servers, for example submission (port 587). +# smtpd_tls_security_level=may ## - Aktiviert TLS für den Mailversand ## - -## - may: -## - Opportunistic TLS: announce STARTTLS support to SMTP clients, -## - but do not require that clients use TLS encryption. -# smtp_use_tls=yes -#smtp_tls_security_level=may + +# Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support, +# otherwise send the mail in the clear. Beware: some SMTP servers offer STARTTLS even if / +# it is not configured. +# +# default: no +# +smtp_use_tls=yes + +# The default SMTP TLS security level for the Postfix SMTP client. When a non-empty value +# is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, +# and smtp_tls_enforce_peername; when no value is specified for smtp_tls_enforce_peername +# or the obsolete parameters, the default SMTP TLS security level is none. +# +# Specify one of the following security levels: +# +# none +# No TLS. TLS will not be used unless enabled for specific destinations +# via smtp_tls_policy_maps. +# +# may +# Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise +# use plaintext; after a failed TLS handshake or TLS session, fall back to plaintext +# if the message has spent minimal_backoff_time in the mail queue. Since sending in the +# clear is acceptable, demanding stronger than default TLS security merely reduces +# interoperability. The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6) +# configuration parameters provide control over the protocols and cipher grade used +# with opportunistic TLS. With earlier releases the opportunistic TLS cipher grade is +# always "export" and no protocols are disabled. When TLS handshakes fail, the +# connection is retried with TLS disabled. This allows mail delivery to sites with +# non-interoperable TLS implementations. +# +# encrypt +# Mandatory TLS encryption. Since a minimum level of security is intended, it is +# reasonable to be specific about sufficiently secure protocol versions and ciphers. +# At this security level and higher, the main.cf parameters smtp_tls_mandatory_protocols +# and smtp_tls_mandatory_ciphers specify the TLS protocols and minimum cipher grade +# which the administrator considers secure enough for mandatory encrypted sessions. +# This security level is not an appropriate default for systems delivering mail to the +# Internet. +# +# dane +# Opportunistic DANE TLS. At this security level, the TLS policy for the destination +# is obtained via DNSSEC. For TLSA policy to be in effect, the destination domain's +# containing DNS zone must be signed and the Postfix SMTP client's operating system +# must be configured to send its DNS queries to a recursive DNS nameserver that is +# able to validate the signed records. Each MX host's DNS zone should also be signed, +# and should publish DANE TLSA (RFC 7672) records that specify how that MX host's TLS +# certificate is to be verified. TLSA records do not preempt the normal SMTP MX host +# selection algorithm, if some MX hosts support TLSA and others do not, TLS security +# will vary from delivery to delivery. +# +# dane-only +# ... +# +# fingerprint +# ... +# +# verify +# ... +# +# secure +# ... +# smtp_tls_security_level=dane + ## - 0 Disable logging of TLS activity. ## - 1 Log TLS handshake and certificate information. ## - 2 Log levels during TLS negotiation.