power-mailinabox
power-mailinabox copied to clipboard
ddavness
Configure TLS fallback option for mail delivery
How could I configure mail delivery to try with TLS, but if the receiving server doesn't support it, to fall back to unencrypted transmission?
<[email protected]>: TLS is required, but was not offered by host mail.hytec.co.za[196.7.218.244]
<[email protected]>: TLS is required, but was not offered by host mail.hytec.co.za[196.7.218.244]
<[email protected]>: TLS is required, but was not offered by host mail.hytec.co.za[196.7.218.244]
I found this post: https://discourse.mailinabox.email/t/tls-is-required-but-was-not-offered-by-host/9317
So it seems that that setting the following in /etc/postfix/main.cf will allow fallback to non-encrypted transmission:
smtp_tls_security_level=dane #smtp_tls_security_level=encrypt
"dane"... what does this actually mean? I see "try" is also an option.
To answer my own question:
https://www.postfix.org/TLS_README.html#client_tls_dane
Quite some way down on that page, I found this:
dane [Opportunistic DANE TLS](https://www.postfix.org/TLS_README.html#client_tls_dane). The TLS policy for the destination is obtained via TLSA records in DNSSEC. If no TLSA records are found, the effective security level used is [may](https://www.postfix.org/TLS_README.html#client_tls_may). If TLSA records are found, but none are usable, the effective security level is [encrypt](https://www.postfix.org/TLS_README.html#client_tls_encrypt). When usable TLSA records are obtained for the remote SMTP server, SSLv2+3 are automatically disabled (see [smtp_tls_mandatory_protocols](https://www.postfix.org/postconf.5.html#smtp_tls_mandatory_protocols)), and the server certificate must match the TLSA records. [RFC 7672](https://tools.ietf.org/html/rfc7672) (DANE) TLS authentication and DNSSEC support is available with Postfix 2.11 and later.
Would it then not be better to make "dane" the default smtp setting?
Would it be a big undertaking to allow this option to be selected from the GUI? Or maybe as part of the setup script?
e.g. Would you like to enable "dane" TLS fallback? Yes/No.
This is an pretty old ticket, but no response yet? This happens every now and then, so can we make this change?
This is an pretty old ticket, but no response yet? This happens every now and then, so can we make this change?
Can't see the struggle. Change it in your personal config, if you accept the unencrypted transmition. This shouldn't be a standard conig or option for all.
Hi!
I'm still in the (slow) process of catching up to the latest upstream versions, so it'll take a while until I get to these open issues 😅 Apologies for the delay 😔
This is an pretty old ticket, but no response yet? This happens every now and then, so can we make this change?
Change it in your personal config, if you accept the unencrypted transmition. This shouldn't be a standard conig or option for all.
I'm not sure I get your point. Which "personal config" are you referring to? If I change this is /etc/postfix/main.cf, like this:
smtp_tls_security_level=dane
#smtp_tls_security_level=encrypt
each time I run an update I have to manually change it back to the above. There are (surprisingly) still some large orgs/isp's that have mail servers that don't have encrypted connections!
Hi!
I'm still in the (slow) process of catching up to the latest upstream versions, so it'll take a while until I get to these open issues 😅 Apologies for the delay 😔
:+1: :1st_place_medal: