Hello,
Here in the Netherlands, we have several providers that claim email only
runs via encrypted connections. Like https://soverin.com/ .
Connections to and from other mail servers that do not accept secure
encryption, are rejected.
I would like that myself, but I wonder what happens if a connection
cannot be established. I would like such a message to be returned to the
sender immediately, rather than getting stuck in the queue.
I would also like to get an idea of which mail will be rejected. Who
are running a mailserver without TLS 1.2 or higher?
With regards,
Paul van der Vlis
root@mail:~# postconf -n
alias_database =
alias_maps =
always_add_missing_headers = yes
biff = no
compatibility_level = 3.11
disable_vrfy_command = yes
enable_threaded_bounces = yes
local_header_rewrite_clients = permit_inet_interfaces,
permit_sasl_authenticated
mailbox_size_limit = 0
message_size_limit = 52428800
milter_default_action = tempfail
milter_protocol = 6
mydestination =
mydomain = linuxmail.nl
myhostname = mx.linuxmail.nl
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = $mydomain
non_smtpd_milters = unix:rspamd/milter.sock,
recipient_delimiter = +
remote_header_rewrite_domain = domain.invalid
show_user_unknown_table_name = no
smtp_address_preference = ipv6
smtp_dns_support_level = dnssec
smtp_sasl_security_options =
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_ciphers = medium
smtp_tls_connection_reuse = yes
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = high
smtp_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_protocols = >=TLSv1.2
smtp_tls_security_level = dane
smtp_tls_servername = hostname
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 12h
smtpd_client_port_logging = yes
smtpd_discard_ehlo_keywords = silent-discard, etrn,
smtpd_forbid_bare_newline = yes
smtpd_forbid_bare_newline_exclusions = $mynetworks
smtpd_milters = unix:rspamd/milter.sock,
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
reject_unauth_destination,
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_login_maps = unionmap:{
proxy:mysql:${config_directory}/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:${config_directory}/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:${config_directory}/sql/mysql_virtual_alias_domain_catchall_maps.cf,
pcre:${config_directory}/sender_overrides.cf },
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_authenticated_sender_login_mismatch,
smtpd_tls_cert_file = /etc/letsencrypt/live/mx.linuxmail.nl/fullchain.pem
smtpd_tls_ciphers = medium
smtpd_tls_key_file = /etc/letsencrypt/live/mx.linuxmail.nl/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = >=TLSv1.3
smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_received_header = yes
smtpd_tls_security_level = encrypt
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 12h
smtputf8_enable = no
tls_eecdh_auto_curves = X25519MLKEM768 SecP256r1MLKEM768 X25519
prime256v1 secp384r1
tls_high_cipherlist =
@SECLEVEL=2:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECD
HE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
tls_medium_cipherlist =
@SECLEVEL=0:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:E
CDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY
1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-
SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION,NO_RENEGOTIATION
unverified_recipient_defer_code = 250
unverified_recipient_reject_code = 550
virtual_alias_maps =
proxy:mysql:${config_directory}/sql/mysql_virtual_alias_maps.cf,
proxy:mysql:${config_directory}/sql/mysql_virtual_alias_domain_maps.cf,
proxy:mysql:${config_directory}/sql/mysql_virtual_alias_domain_catchall_maps.cf,
virtual_mailbox_domains =
proxy:mysql:${config_directory}/sql/mysql_virtual_domains_maps.cf,
virtual_mailbox_maps =
proxy:mysql:${config_directory}/sql/mysql_virtual_mailbox_maps.cf,
proxy:mysql:${config_directory}/sql/mysql_virtual_alias_domain_mailbox_maps.cf,
virtual_transport = lmtp:unix:private/dovecot-lmtp
root@mail:~# cat /etc/postfix/tls_policy
oldandverybad.com may
* encrypt
root@mail:~#
--
Paul van der Vlis Linux systeembeheer Groningen
https://vandervlis.nl/
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
