install_postfix_advanced.sh: adjust defaulr 'main.cf' file.
This commit is contained in:
parent
307c47d4a5
commit
361ccefd9a
@ -1813,25 +1813,112 @@ smtp_dns_support_level = dnssec
|
||||
|
||||
## - Aktiviert TLS für den Mailempfang
|
||||
## -
|
||||
## - may:
|
||||
## - Opportunistic TLS. Use TLS if this is supported by the remote
|
||||
## - SMTP server, otherwise use plaintext
|
||||
## -
|
||||
## - This overrides the obsolete parameters smtpd_use_tls and
|
||||
## - smtpd_enforce_tls. This parameter is ignored with
|
||||
## - "smtpd_tls_wrappermode = yes".
|
||||
|
||||
# By default, TLS is disabled in the Postfix SMTP server, so no difference to plain Postfix
|
||||
# is visible. Explicitly switch it on using "smtpd_use_tls = yes".
|
||||
#
|
||||
# Example:
|
||||
#
|
||||
# /etc/postfix/main.cf:
|
||||
# smtpd_use_tls = yes
|
||||
#
|
||||
# With this, Postfix SMTP server announces STARTTLS support to SMTP clients, but does
|
||||
# not require that clients use TLS encryption.
|
||||
#
|
||||
smtpd_use_tls=yes
|
||||
|
||||
|
||||
# The SMTP TLS security level for the Postfix SMTP server; when a non-empty value is
|
||||
# specified, this overrides the obsolete parameters smtpd_use_tls and smtpd_enforce_tls.
|
||||
# This parameter is ignored with "smtpd_tls_wrappermode = yes".
|
||||
#
|
||||
# Specify one of the following security levels:
|
||||
#
|
||||
# none
|
||||
# TLS will not be used.
|
||||
#
|
||||
# may
|
||||
# Opportunistic TLS: announce STARTTLS support to remote SMTP clients, but do not
|
||||
# require that clients use TLS encryption.
|
||||
#
|
||||
# encrypt
|
||||
# Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and
|
||||
# reject all plaintext commands except HELO, EHLO, XCLIENT, STARTTLS, NOOP, QUIT,
|
||||
# and (Postfix ≥ 3.9) HELP. According to RFC 2487 this MUST NOT be applied in case
|
||||
# of a publicly-referenced SMTP server. Instead, this should be used on dedicated
|
||||
# servers, for example submission (port 587).
|
||||
#
|
||||
smtpd_tls_security_level=may
|
||||
|
||||
## - Aktiviert TLS für den Mailversand
|
||||
## -
|
||||
## - may:
|
||||
## - Opportunistic TLS: announce STARTTLS support to SMTP clients,
|
||||
## - but do not require that clients use TLS encryption.
|
||||
# smtp_use_tls=yes
|
||||
#smtp_tls_security_level=may
|
||||
|
||||
# Opportunistic mode: use TLS when a remote SMTP server announces STARTTLS support,
|
||||
# otherwise send the mail in the clear. Beware: some SMTP servers offer STARTTLS even if /
|
||||
# it is not configured.
|
||||
#
|
||||
# default: no
|
||||
#
|
||||
smtp_use_tls=yes
|
||||
|
||||
# The default SMTP TLS security level for the Postfix SMTP client. When a non-empty value
|
||||
# is specified, this overrides the obsolete parameters smtp_use_tls, smtp_enforce_tls,
|
||||
# and smtp_tls_enforce_peername; when no value is specified for smtp_tls_enforce_peername
|
||||
# or the obsolete parameters, the default SMTP TLS security level is none.
|
||||
#
|
||||
# Specify one of the following security levels:
|
||||
#
|
||||
# none
|
||||
# No TLS. TLS will not be used unless enabled for specific destinations
|
||||
# via smtp_tls_policy_maps.
|
||||
#
|
||||
# may
|
||||
# Opportunistic TLS. Use TLS if this is supported by the remote SMTP server, otherwise
|
||||
# use plaintext; after a failed TLS handshake or TLS session, fall back to plaintext
|
||||
# if the message has spent minimal_backoff_time in the mail queue. Since sending in the
|
||||
# clear is acceptable, demanding stronger than default TLS security merely reduces
|
||||
# interoperability. The "smtp_tls_ciphers" and "smtp_tls_protocols" (Postfix ≥ 2.6)
|
||||
# configuration parameters provide control over the protocols and cipher grade used
|
||||
# with opportunistic TLS. With earlier releases the opportunistic TLS cipher grade is
|
||||
# always "export" and no protocols are disabled. When TLS handshakes fail, the
|
||||
# connection is retried with TLS disabled. This allows mail delivery to sites with
|
||||
# non-interoperable TLS implementations.
|
||||
#
|
||||
# encrypt
|
||||
# Mandatory TLS encryption. Since a minimum level of security is intended, it is
|
||||
# reasonable to be specific about sufficiently secure protocol versions and ciphers.
|
||||
# At this security level and higher, the main.cf parameters smtp_tls_mandatory_protocols
|
||||
# and smtp_tls_mandatory_ciphers specify the TLS protocols and minimum cipher grade
|
||||
# which the administrator considers secure enough for mandatory encrypted sessions.
|
||||
# This security level is not an appropriate default for systems delivering mail to the
|
||||
# Internet.
|
||||
#
|
||||
# dane
|
||||
# Opportunistic DANE TLS. At this security level, the TLS policy for the destination
|
||||
# is obtained via DNSSEC. For TLSA policy to be in effect, the destination domain's
|
||||
# containing DNS zone must be signed and the Postfix SMTP client's operating system
|
||||
# must be configured to send its DNS queries to a recursive DNS nameserver that is
|
||||
# able to validate the signed records. Each MX host's DNS zone should also be signed,
|
||||
# and should publish DANE TLSA (RFC 7672) records that specify how that MX host's TLS
|
||||
# certificate is to be verified. TLSA records do not preempt the normal SMTP MX host
|
||||
# selection algorithm, if some MX hosts support TLSA and others do not, TLS security
|
||||
# will vary from delivery to delivery.
|
||||
#
|
||||
# dane-only
|
||||
# ...
|
||||
#
|
||||
# fingerprint
|
||||
# ...
|
||||
#
|
||||
# verify
|
||||
# ...
|
||||
#
|
||||
# secure
|
||||
# ...
|
||||
#
|
||||
smtp_tls_security_level=dane
|
||||
|
||||
|
||||
## - 0 Disable logging of TLS activity.
|
||||
## - 1 Log TLS handshake and certificate information.
|
||||
## - 2 Log levels during TLS negotiation.
|
||||
|
||||
Loading…
Reference in New Issue
Block a user