Univention Bugzilla – Bug 44589
relayhost with authentication only over TLS
Last modified: 2017-06-15 17:58:17 CEST
If "mail/relayauth" is enabled you want to set postfix default of "mail/postfix/tls/client/level=encrypt". The UCS default is: smtp_tls_security_level = may In this case it will be possible to send your user name + password unencrypted over the Internet. """ When TLS handshakes fail, the connection is retried with TLS disabled. This allows mail delivery to sites with non-interoperable TLS implementations. """ In a case where you use a smart-host of a provider with relay authentication, you want to ensure that your password is only send in an encrypted session. So in this case you have to manually set "mail/postfix/tls/client/level=encrypt". I think this should be described clearly in the documentation [1]. The more effective way would be to set "mail/postfix/tls/client/level=encrypt" if "mail/relayauth" is enabled. [1] https://docs.software-univention.de/manual-4.2.html#mail::serverconfig::relay
r79953: * the default for mail/postfix/tls/client/level if unset has been changed to "may" * set smtp_tls_security_level=encrypt if mail/relayauth is enabled * add section to manual r79954: add missing UCRV to ucr-registry Package: univention-mail-postfix Version: 11.0.1-4A~4.2.0.201705310933 Branch: ucs_4.2-0 Scope: errata4.2-0
r80142 | Bug #44589: some tweaks for the mail section of the UCS manual r80148 | Bug #44589: some tweaks for the mail section of the UCS manual univention-mail-postfix (11.0.1-8): r80143 | Bug #44589: updated UCR variable descriptions r80147 | Bug #44589: updated UCR variable descriptions Package: univention-mail-postfix Version: 11.0.1-8A~4.2.0.201706131359 Branch: ucs_4.2-0 Scope: errata4.2-0 The UCR template will set smtp_tls_security_level=encrypt if * mail/relayhost != "" * mail/relayauth is True * mail/postfix/tls/client/level != "none" Otherwise, mail/postfix/tls/client/level is directly used. The new default of mail/postfix/tls/client/level within the UCR template is "may". The UCR variable will no longer be set in univention-mail-postfix.postinst. There is no impact for existing installations.
<http://errata.software-univention.de/ucs/4.2/36.html>