mirror of
https://github.com/mail-in-a-box/mailinabox.git
synced 2024-11-22 02:17:26 +00:00
avoid mail.log warnings about untrusted certificates on outgoing mail, fixes #124
This commit is contained in:
parent
6a512042dc
commit
b86656243f
@ -31,7 +31,7 @@ source /etc/mailinabox.conf # load global vars
|
|||||||
|
|
||||||
# Install packages.
|
# Install packages.
|
||||||
|
|
||||||
apt_install postfix postgrey postfix-pcre
|
apt_install postfix postgrey postfix-pcre ca-certificates
|
||||||
|
|
||||||
# Basic Settings
|
# Basic Settings
|
||||||
|
|
||||||
@ -75,15 +75,27 @@ tools/editconf.py /etc/postfix/main.cf \
|
|||||||
smtpd_tls_received_header=yes
|
smtpd_tls_received_header=yes
|
||||||
|
|
||||||
# When connecting to remote SMTP servers, prefer TLS and use DANE if available.
|
# When connecting to remote SMTP servers, prefer TLS and use DANE if available.
|
||||||
# Postfix queries for the TLSA record on the destination MX host. If no TLSA records are found,
|
#
|
||||||
|
# Prefering ("opportunistic") TLS means Postfix will accept whatever SSL certificate the remote
|
||||||
|
# end provides, if the remote end offers STARTTLS during the connection. DANE takes this a
|
||||||
|
# step further:
|
||||||
|
#
|
||||||
|
# Postfix queries DNS for the TLSA record on the destination MX host. If no TLSA records are found,
|
||||||
# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
|
# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
|
||||||
# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
|
# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
|
||||||
# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
|
# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
|
||||||
# relies on our local bind9 server being present and smtp_dns_support_level being set to dnssec
|
# relies on our local bind9 server being present and smtp_dns_support_level being set to dnssec
|
||||||
# to use it.
|
# to use it.
|
||||||
|
#
|
||||||
|
# The smtp_tls_CAfile is superflous, but it turns warnings in the logs about untrusted certs
|
||||||
|
# into notices about trusted certs. Since in these cases Postfix is doing opportunistic TLS,
|
||||||
|
# it does not care about whether the remote certificate is trusted. But, looking at the logs,
|
||||||
|
# it's nice to be able to see that the connection was in fact encrypted for the right party.
|
||||||
|
# The CA file is provided by the package ca-certificates.
|
||||||
tools/editconf.py /etc/postfix/main.cf \
|
tools/editconf.py /etc/postfix/main.cf \
|
||||||
smtp_tls_security_level=dane \
|
smtp_tls_security_level=dane \
|
||||||
smtp_dns_support_level=dnssec \
|
smtp_dns_support_level=dnssec \
|
||||||
|
smtp_tls_CAfile=/etc/ssl/certs/ca-certificates.crt \
|
||||||
smtp_tls_loglevel=2
|
smtp_tls_loglevel=2
|
||||||
|
|
||||||
# Incoming Mail
|
# Incoming Mail
|
||||||
|
Loading…
Reference in New Issue
Block a user