tickets #40574
closedEmail: tls configuration for anna/elsa
100%
Description
anna/elsa send unencrypted mails. We need to
1) adjust the crtmgr hooks.sh script to send the certificates to the postfix ssl directory
2) adjust main.cf with proper tls configuration
Updated by pjessen over 5 years ago
- Private changed from Yes to No
There is no need for a certificate for sending - just enable TLS. smtp_tls_security_level = may
Updated by pjessen over 5 years ago
When the receiving side offers TLS, the sending side only needs to validate the certificate, but doesn't need a certificate itself.
Just like a browser accessing an https site.
Updated by pjessen over 5 years ago
tampakrap wrote:
anna/elsa are also relayhosts
But only for internal mails? Yes, if you want to encrypt that too, they will need certificates.
and updating the senders with smtp_tls_security_level = may
Updated by lrupp about 4 years ago
- Subject changed from tls configuration for anna/elsa to Email: tls configuration for anna/elsa
Updated by lrupp about 4 years ago
- Category changed from Servers hosted in NBG to Email
Updated by pjessen almost 4 years ago
I have enabled opportunistic TLS on anna and elsa, don't know why it took me so long. We had messages queueing up due to outlook.com requiring TLS, which is actually against the standing recommendation. Oh well.
# 20200331 pjessen https://progress.opensuse.org/issues/40574
#smtp_use_tls = no
#smtp_enforce_tls = no
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
Updated by pjessen almost 4 years ago
- Status changed from New to Resolved
- Assignee set to pjessen
- % Done changed from 0 to 100
Since 1 April, we have delivered 1'282'586 mails via TLS, seems to be working fine :-)
Personally I see no reason for using TLS for our internal relaying, but if anyone disagrees, feel free to re-open.