diff --git a/install_postfix_advanced.sh b/install_postfix_advanced.sh index 9dc03cf..ef3ca0b 100755 --- a/install_postfix_advanced.sh +++ b/install_postfix_advanced.sh @@ -1747,15 +1747,68 @@ cat <> /etc/postfix/main.cf # ============ TLS parameters ============ -## - supports DNSSEC -## - -## - !! Notice !! -## - In order to support DNSSEC and DANE your resolver MUST support -## - DNSSEC too. -## - -## - If your resolver does not support DNSSEC, install "unbound". -## - + +# What mechanisms the Postfix SMTP client uses to look up a host's IP address. +# This parameter is ignored when DNS lookups are disabled (see: disable_dns_lookups +# and smtp_dns_support_level). The "dns" mechanism is always tried before "native" +# if both are listed. +# +# Specify one of the following: +# +# dns +# Hosts can be found in the DNS (preferred). +# +# native +# Use the native naming service only (nsswitch.conf, or equivalent mechanism). +# +# dns, native +# Use the native service for hosts not found in the DNS. +# smtp_host_lookup = dns + +# Level of DNS support in the Postfix SMTP client. With "smtp_dns_support_level" +# left at its empty default value, the legacy "disable_dns_lookups" parameter c +# ontrols whether DNS is enabled in the Postfix SMTP client, otherwise the l +# egacy parameter is ignored. +# +# Specify one of the following: +# +# disabled +# Disable DNS lookups. No MX lookups are performed and hostname to address lookups +# are unconditionally "native". This setting is not appropriate for hosts that +# deliver mail to the public Internet. Some obsolete how-to documents recommend +# disabling DNS lookups in some configurations with content_filters. This is no +# longer required and strongly discouraged. +# +# enabled +# Enable DNS lookups. Nexthop destination domains not enclosed in "[]" will be +# subject to MX lookups. If "dns" and "native" are included in the "smtp_host_lookup" +# parameter value, DNS will be queried first to resolve MX-host A records, followed by +# "native" lookups if no answer is found in DNS. +# +# dnssec +# Enable DNSSEC lookups. The "dnssec" setting differs from the "enabled" setting above +# in the following ways: +# +# - Any MX lookups will set RES_USE_DNSSEC and RES_USE_EDNS0 to request DNSSEC-validated +# responses. If the MX response is DNSSEC-validated the corresponding hostnames are +# considered validated. +# +# - The address lookups of validated hostnames are also validated, (provided of course +# "smtp_host_lookup" includes "dns", see below). +# +# - Temporary failures in DNSSEC-enabled hostname-to-address resolution block any +# "native" lookups. Additional "native" lookups only happen when DNSSEC lookups +# hard-fail (NODATA or NXDOMAIN). +# +# default: empty +# +# !! Notice !! +# In order to support DNSSEC and DANE your resolver MUST support +# DNSSEC too. +# +# If your resolver does not support DNSSEC, install "unbound". +# smtp_dns_support_level = dnssec ## - Aktiviert TLS für den Mailempfang