do i understand tls_policy_maps right?
when i set in main.cf:
and do in
will then every mail leaving my server to externaldomain.com forced
using tls ?
and when i set in the same map
every incoming mail is checked if the cert is signed by the CA , that
i have stored in the CA_path ?
- On Sun, Feb 10, 2013 at 09:22:34PM +0100, weber@... wrote:
> When I set in main.cf:Yes, but without validation of the peer certificate. Thus you get
> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> and in
> example.com encrypt
> Will then every mail leaving my server to example.com be required
> to use TLS?
protection from passive eavesdropping, but not active man-in-the-middle
attacks (on TLS).
> And when I set in the same mapNo. The policy table as documented applies only to outgoing mail.
> example.net verify
> Every incoming mail is checked if the cert is signed by the CA,
> that i have stored in the CA_path ?
Also the "verify" security level is not immune to MITM attacks that
return forged DNS responses. To avoid all MITM attacks, use "secure",
not "verify", provided the destination's SMTP servers have suitable
Often you need to explicity provide non-default "match" parameters
along with the "secure" policy. Once you do so, the "verify" and
"secure" levels become identical, they only differ in their default
All of this is explained in