Univention Bugzilla – Bug 44589
relayhost with authentication only over TLS
Last modified: 2017-06-15 17:58:17 CEST
If "mail/relayauth" is enabled you want to set postfix default of "mail/postfix/tls/client/level=encrypt".
The UCS default is:
smtp_tls_security_level = may
In this case it will be possible to send your user name + password unencrypted over the Internet.
When TLS handshakes fail, the connection is retried with TLS disabled. This allows mail delivery to sites with non-interoperable TLS implementations.
In a case where you use a smart-host of a provider with relay authentication, you want to ensure that your password is only send in an encrypted session. So in this case you have to manually set "mail/postfix/tls/client/level=encrypt".
I think this should be described clearly in the documentation . The more effective way would be to set "mail/postfix/tls/client/level=encrypt" if "mail/relayauth" is enabled.
* the default for mail/postfix/tls/client/level if unset has been changed to "may"
* set smtp_tls_security_level=encrypt if mail/relayauth is enabled
* add section to manual
r79954: add missing UCRV to ucr-registry
r80142 | Bug #44589: some tweaks for the mail section of the UCS manual
r80148 | Bug #44589: some tweaks for the mail section of the UCS manual
r80143 | Bug #44589: updated UCR variable descriptions
r80147 | Bug #44589: updated UCR variable descriptions
The UCR template will set smtp_tls_security_level=encrypt if
* mail/relayhost != ""
* mail/relayauth is True
* mail/postfix/tls/client/level != "none"
Otherwise, mail/postfix/tls/client/level is directly used.
The new default of mail/postfix/tls/client/level within the UCR template is "may". The UCR variable will no longer be set in
univention-mail-postfix.postinst. There is no impact for existing installations.