On Tue, May 20, 2014 at 10:34:29AM -0400, Chris Knadle wrote:
> > Well, Postfix has the best TLS support of any MTA, and now also
> > supports DANE. So it should not be surprising that DANE early
> > adopters are using Postfix. You could definitely do worse than
> > switch to Postfix.
>
> A friend who's been running Postfix for a decade has been having TLS trouble
> with it, because (supposedly) TLS transfers are not tried by default and he
> hasn't yet found how to change that. [I suspect that the cause is some kind
> of local configuration complication.]
Well, TLS is a compile-time option, and perhaps he's using software
not built with TLS support. If his Postfix dates back to 2004, it
is even more likely to not have TLS, Wietse adopted TLS in the 2.2
release in 2005 and I overhauled the design for 2.3 (2006) with
various improvements after than, leading to DANE in 2.11 (2014).
For modern Postfix releases (2.3 and onward), compiled with TLS
support, all it takes is:
main.cf:
tls_random_source = dev:/dev/urandom
# No trusted CAs (default unless some vendor "improved" it).
#
smtp_tls_CAfile =
smtp_tls_CApath =
# No client certificates
#
smtp_tls_cert_file = (default unless some vendor "improved" it).
# TLS session cache (optional, but helpful):
#
smtp_tls_session_cache_database =
btree:${data_directory}/smtp_tls_session_cache
# Enable opportunistic TLS, and record log evidence of its use:
#
smtp_tls_security_level = may
smtp_tls_loglevel = 1
master.cf:
# Uncomment the tlsmgr(8) entry:
tlsmgr unix - - n 1000? 1 tlsmgr
For further help, (if he also wants inbound TLS) your friend should
ask on the postfix-users list, after looking at:
http://www.postfix.org/TLS_README.html#quick-start
--
Viktor.
