install_postfix_advanced.sh: adjust defaulr 'main.cf' file.

2024-09-26 17:44:21 +02:00 · 2024-09-26 17:44:21 +02:00 · 361ccefd9a
commit 361ccefd9a
parent 307c47d4a5
1 changed files with 100 additions and 13 deletions
--- a/install_postfix_advanced.sh
+++ b/install_postfix_advanced.sh
@ -1813,25 +1813,112 @@ smtp_dns_support_level = dnssec
 ## - Aktiviert TLS für den Mailempfang
 ## -
-## - may:
+
-## - Opportunistic TLS. Use TLS if this is supported by the remote 
+# By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix
-## - SMTP server, otherwise use plaintext
+# is visible. Explicitly switch it on using "smtpd_use_tls = yes".
-## -
+#
-## - This overrides the obsolete parameters smtpd_use_tls and 
+# Example:
-## - smtpd_enforce_tls. This parameter is ignored with 
+#
-## - "smtpd_tls_wrappermode = yes".
+#     /etc/postfix/main.cf:
-#smtpd_use_tls=yes
+#        smtpd_use_tls = yes
 #
 # With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but does
 # not require that clients use TLS encryption.
 #
 smtpd_use_tls=yes
 # The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is
 # specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls.
 # This parameter is ignored with "smtpd_tls_wrappermode = yes".
 #
 # Specify one of the following security levels:
 #
 #  none
 #     TLS will not be used.
 #
 #  may
 #     Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not
 #     require that clients use TLS encryption.
 #
 #  encrypt
 #     Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and
 #     reject all plaintext commands except HELO, EHLO, XCLIENT, STARTTLS, NOOP, QUIT,
 #     and (Postfix ≥ 3.9) HELP. According to RFC 2487 this MUST NOT be applied in case
 #     of a publicly-referenced SMTP server. Instead, this should be used on dedicated
 #     servers, for example submission (port 587).
 #
 smtpd_tls_security_level=may
 ## - Aktiviert TLS für den Mailversand
 ## -
-## - may:
+
-## - Opportunistic TLS: announce STARTTLS support to SMTP clients, 
+# Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support,
-## - but do not require that clients use TLS encryption.
+# otherwise send the mail in the clear. Beware: some SMTP servers offer STARTTLS even if /
-# smtp_use_tls=yes
+# it is not configured.
-#smtp_tls_security_level=may
+#
 # default: no
 #
 smtp_use_tls=yes
 # The default SMTP TLS security level for the Postfix SMTP client. When a non-empty value 
 # is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls, 
 # and smtp_tls_enforce_peername; when no value is specified for smtp_tls_enforce_peername 
 # or the obsolete parameters, the default SMTP TLS security level is none. 
 #
 # Specify one of the following security levels: 
 #
 #  none
 #     No TLS. TLS will not be used unless enabled for specific destinations
 #     via smtp_tls_policy_maps.
 #
 #  may
 #     Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise
 #     use plaintext; after a failed TLS handshake or TLS session, fall back to plaintext
 #     if the message has spent minimal_backoff_time in the mail queue. Since sending in the
 #     clear is acceptable, demanding stronger than default TLS security merely reduces
 #     interoperability. The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6)
 #     configuration parameters provide control over the protocols and cipher grade used
 #     with opportunistic TLS. With earlier releases the opportunistic TLS cipher grade is
 #     always "export" and no protocols are disabled. When TLS handshakes fail, the
 #     connection is retried with TLS disabled. This allows mail delivery to sites with
 #     non-interoperable TLS implementations.
 #
 #  encrypt
 #     Mandatory TLS encryption. Since a minimum level of security is intended, it is
 #     reasonable to be specific about sufficiently secure protocol versions and ciphers.
 #     At this security level and higher, the main.cf parameters smtp_tls_mandatory_protocols
 #     and smtp_tls_mandatory_ciphers specify the TLS protocols and minimum cipher grade
 #     which the administrator considers secure enough for mandatory encrypted sessions.
 #     This security level is not an appropriate default for systems delivering mail to the
 #     Internet.
 #
 #  dane
 #     Opportunistic DANE TLS. At this security level, the TLS policy for the destination
 #     is obtained via DNSSEC. For TLSA policy to be in effect, the destination domain's
 #     containing DNS zone must be signed and the Postfix SMTP client's operating system
 #     must be configured to send its DNS queries to a recursive DNS nameserver that is
 #     able to validate the signed records. Each MX host's DNS zone should also be signed,
 #     and should publish DANE TLSA (RFC 7672) records that specify how that MX host's TLS
 #     certificate is to be verified. TLSA records do not preempt the normal SMTP MX host
 #     selection algorithm, if some MX hosts support TLSA and others do not, TLS security
 #     will vary from delivery to delivery.
 #
 #  dane-only
 #     ...
 #
 #  fingerprint
 #     ...
 #
 #  verify
 #     ...
 #
 #  secure
 #     ...
 #
 smtp_tls_security_level=dane
 ## -    0 Disable logging of TLS activity. 
 ## -    1 Log TLS handshake and certificate information. 
 ## -    2 Log levels during TLS negotiation.