Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
M
mailinabox
Project
Project
Details
Activity
Releases
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Administrator
mailinabox
Commits
b8665624
Commit
b8665624
authored
Aug 02, 2014
by
Joshua Tauberer
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
avoid mail.log warnings about untrusted certificates on outgoing mail, fixes #124
parent
6a512042
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
15 additions
and
3 deletions
+15
-3
mail-postfix.sh
setup/mail-postfix.sh
+15
-3
No files found.
setup/mail-postfix.sh
View file @
b8665624
...
@@ -31,7 +31,7 @@ source /etc/mailinabox.conf # load global vars
...
@@ -31,7 +31,7 @@ source /etc/mailinabox.conf # load global vars
# Install packages.
# Install packages.
apt_install postfix postgrey postfix-pcre
apt_install postfix postgrey postfix-pcre
ca-certificates
# Basic Settings
# Basic Settings
...
@@ -75,15 +75,27 @@ tools/editconf.py /etc/postfix/main.cf \
...
@@ -75,15 +75,27 @@ tools/editconf.py /etc/postfix/main.cf \
smtpd_tls_received_header
=
yes
smtpd_tls_received_header
=
yes
# When connecting to remote SMTP servers, prefer TLS and use DANE if available.
# When connecting to remote SMTP servers, prefer TLS and use DANE if available.
# Postfix queries for the TLSA record on the destination MX host. If no TLSA records are found,
#
# Prefering ("opportunistic") TLS means Postfix will accept whatever SSL certificate the remote
# end provides, if the remote end offers STARTTLS during the connection. DANE takes this a
# step further:
#
# Postfix queries DNS for the TLSA record on the destination MX host. If no TLSA records are found,
# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
# then opportunistic TLS is used. Otherwise the server certificate must match the TLSA records
# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
# or else the mail bounces. TLSA also requires DNSSEC on the MX host. Postfix doesn't do DNSSEC
# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
# itself but assumes the system's nameserver does and reports DNSSEC status. Thus this also
# relies on our local bind9 server being present and smtp_dns_support_level being set to dnssec
# relies on our local bind9 server being present and smtp_dns_support_level being set to dnssec
# to use it.
# to use it.
#
# The smtp_tls_CAfile is superflous, but it turns warnings in the logs about untrusted certs
# into notices about trusted certs. Since in these cases Postfix is doing opportunistic TLS,
# it does not care about whether the remote certificate is trusted. But, looking at the logs,
# it's nice to be able to see that the connection was in fact encrypted for the right party.
# The CA file is provided by the package ca-certificates.
tools/editconf.py /etc/postfix/main.cf
\
tools/editconf.py /etc/postfix/main.cf
\
smtp_tls_security_level
=
dane
\
smtp_tls_security_level
=
dane
\
smtp_dns_support_level
=
dnssec
\
smtp_dns_support_level
=
dnssec
\
smtp_tls_CAfile
=
/etc/ssl/certs/ca-certificates.crt
\
smtp_tls_loglevel
=
2
smtp_tls_loglevel
=
2
# Incoming Mail
# Incoming Mail
...
@@ -137,4 +149,4 @@ ufw_allow submission
...
@@ -137,4 +149,4 @@ ufw_allow submission
# Restart services
# Restart services
restart_service postfix
restart_service postfix
\ No newline at end of file
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment