mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-26 02:57:04 +00:00
use DANE when sending mail: if the recipient MX has a DANE TLSA record in DNS then Postfix will necessarily encrypt the mail in transport
This commit is contained in:
parent
95e61bc110
commit
782ad04b10
@ -59,9 +59,16 @@ tools/editconf.py /etc/postfix/main.cf \
|
|||||||
smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
|
smtpd_tls_key_file=$STORAGE_ROOT/ssl/ssl_private_key.pem \
|
||||||
smtpd_tls_received_header=yes
|
smtpd_tls_received_header=yes
|
||||||
|
|
||||||
# When connecting to remote SMTP servers, prefer TLS.
|
# When connecting to remote SMTP servers, prefer TLS and use DANE if available.
|
||||||
|
# Postfix queries for the TLSA record on the destination MX host. If no TLSA records are found,
|
||||||
|
# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
|
||||||
|
# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
|
||||||
|
# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
|
||||||
|
# relies on our local bind9 server being present and smtp_dns_support_level being set to dnssec
|
||||||
|
# to use it.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
tools/editconf.py /etc/postfix/main.cf \
|
||||||
smtp_tls_security_level=may \
|
smtp_tls_security_level=dane \
|
||||||
|
smtp_dns_support_level=dnssec \
|
||||||
smtp_tls_loglevel=2
|
smtp_tls_loglevel=2
|
||||||
|
|
||||||
# Who can send outbound mail?
|
# Who can send outbound mail?
|
||||||
|
Loading…
Reference in New Issue
Block a user