Open lifeboy opened 1 year ago
lifeboy
commented
1 year ago I found this post: https://discourse.mailinabox.email/t/tls-is-required-but-was-not-offered-by-host/9317
So it seems that that setting the following in /etc/postfix/main.cf will allow fallback to non-encrypted transmission:
smtp_tls_security_level=dane
"dane"... what does this actually mean? I see "try" is also an option.
lifeboy
commented
1 year ago To answer my own question:
https://www.postfix.org/TLS_README.html#client_tls_dane
Quite some way down on that page, I found this:
dane [Opportunistic DANE TLS](https://www.postfix.org/TLS_README.html#client_tls_dane). The TLS policy for the destination is obtained via TLSA records in DNSSEC. If no TLSA records are found, the effective security level used is [may](https://www.postfix.org/TLS_README.html#client_tls_may). If TLSA records are found, but none are usable, the effective security level is [encrypt](https://www.postfix.org/TLS_README.html#client_tls_encrypt). When usable TLSA records are obtained for the remote SMTP server, SSLv2+3 are automatically disabled (see [smtp_tls_mandatory_protocols](https://www.postfix.org/postconf.5.html#smtp_tls_mandatory_protocols)), and the server certificate must match the TLSA records. [RFC 7672](https://tools.ietf.org/html/rfc7672) (DANE) TLS authentication and DNSSEC support is available with Postfix 2.11 and later.
Would it then not be better to make "dane" the default smtp setting?
lifeboy
commented
1 year ago Would it be a big undertaking to allow this option to be selected from the GUI? Or maybe as part of the setup script?
e.g. Would you like to enable "dane" TLS fallback? Yes/No.
lifeboy
commented
2 months ago This is an pretty old ticket, but no response yet? This happens every now and then, so can we make this change?
PyroniaDE
commented
2 months ago This is an pretty old ticket, but no response yet? This happens every now and then, so can we make this change?
Can't see the struggle. Change it in your personal config, if you accept the unencrypted transmition. This shouldn't be a standard conig or option for all.
ddavness
commented
2 months ago Hi!
I'm still in the (slow) process of catching up to the latest upstream versions, so it'll take a while until I get to these open issues 😅 Apologies for the delay 😔
lifeboy
commented
2 months ago This is an pretty old ticket, but no response yet? This happens every now and then, so can we make this change?
Change it in your personal config, if you accept the unencrypted transmition. This shouldn't be a standard conig or option for all.
I'm not sure I get your point. Which "personal config" are you referring to? If I change this is /etc/postfix/main.cf, like this:
smtp_tls_security_level=dane
#smtp_tls_security_level=encrypteach time I run an update I have to manually change it back to the above. There are (surprisingly) still some large orgs/isp's that have mail servers that don't have encrypted connections!
lifeboy
commented
2 months ago Hi!
I'm still in the (slow) process of catching up to the latest upstream versions, so it'll take a while until I get to these open issues 😅 Apologies for the delay 😔
:+1: :1st_place_medal:
How could I configure mail delivery to try with TLS, but if the receiving server doesn't support it, to fall back to unencrypted transmission?
[aaa.bbb@boschrexroth.co.za](mailto:aaa.bbb@boschrexroth.co.za): TLS is required, but was not offered by host mail.hytec.co.za[196.7.218.244]
[ccc.ddd@boschrexroth.co.za](mailto:ccc.ddd@boschrexroth.co.za): TLS is required, but was not offered by host mail.hytec.co.za[196.7.218.244]
[qqq.rrr@boschrexroth.co.za](mailto:qqq.rrr@boschrexroth.co.za): TLS is required, but was not offered by host mail.hytec.co.za[196.7.218.244]