On Thu, Oct 30, 2025 at 06:58:27PM -0400, Wietse Venema via Postfix-users wrote:
> David Mandelberg via Postfix-users:
> > Oct 30 20:33:28 mail-inbound-119b7863 postfix-inbound/qmgr[15646]:
> > 4cyFfv6Tdcz1t: from=<REDACTED>, size=11406, nrcpt=1 (queue active)
> > Oct 30 20:33:28 mail-inbound-119b7863 postfix-inbound/lmtp[15765]:
> > warning: lmtp_tls_wrappermode requires "lmtp_tls_security_level =
> > encrypt" (or stronger)
>
> That is a bad interaction with "TLS-Required: no" (which means
> lmtp_tls_security_level = may) and TLS wrappermode (which requires
> lmtp_tls_security_level = encrypt or stronger).
>
> I think that TLS wrappermode should override "TLS-Required: no",
> because by design, TLS can't be optional for wrappermode connections.
> TLS can be optional only for connections that use STARTTLS.
>
> That leaves the question whether "TLS-Required: no" for wrappermode
> should dowgrade "encrypt" and disable stronger authentication like
> fingerprint etc.
My instinct is that a downgrade to "encrypt", rather than "may", is the
sensible choice in this situation. In either LMTP or SMTP mode (since
IIRC both support wrapper mode).
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
