tickets #40574
closed
Email: tls configuration for anna/elsa
Added by tampakrap over 5 years ago.
Updated about 4 years ago.
Description
anna/elsa send unencrypted mails. We need to
1) adjust the crtmgr hooks.sh script to send the certificates to the postfix ssl directory
2) adjust main.cf with proper tls configuration
- Private changed from Yes to No
There is no need for a certificate for sending - just enable TLS. smtp_tls_security_level = may
could you also explain me why please?
When the receiving side offers TLS, the sending side only needs to validate the certificate, but doesn't need a certificate itself.
Just like a browser accessing an https site.
anna/elsa are also relayhosts
tampakrap wrote:
anna/elsa are also relayhosts
But only for internal mails? Yes, if you want to encrypt that too, they will need certificates.
and updating the senders with smtp_tls_security_level = may
- Subject changed from tls configuration for anna/elsa to Email: tls configuration for anna/elsa
- Category changed from Servers hosted in NBG to Email
I have enabled opportunistic TLS on anna and elsa, don't know why it took me so long. We had messages queueing up due to outlook.com requiring TLS, which is actually against the standing recommendation. Oh well.
# 20200331 pjessen https://progress.opensuse.org/issues/40574
#smtp_use_tls = no
#smtp_enforce_tls = no
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
- Status changed from New to Resolved
- Assignee set to pjessen
- % Done changed from 0 to 100
Since 1 April, we have delivered 1'282'586 mails via TLS, seems to be working fine :-)
Personally I see no reason for using TLS for our internal relaying, but if anyone disagrees, feel free to re-open.
Also available in: Atom
PDF