Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt outgoing messages (relayed) with STARTTLS by default #83

Merged
merged 5 commits into from
Dec 30, 2020
Merged

Encrypt outgoing messages (relayed) with STARTTLS by default #83

merged 5 commits into from
Dec 30, 2020

Conversation

tersmitten
Copy link
Member

No description provided.

@tersmitten tersmitten added this to the 2.12.0 milestone May 17, 2020
@tersmitten tersmitten self-assigned this May 17, 2020
tersmitten
tersmitten commented May 17, 2020
View reviewed changes
templates/etc/postfix/main.cf.j2
smtp_tls_note_starttls_offer = yes
smtp_use_tls = {{ postfix_smtp_tls_security_level != 'none' | ternary('yes', 'no')}}
smtp_tls_security_level = {{ postfix_smtp_tls_security_level }}
smtp_tls_note_starttls_offer = {{ postfix_smtp_tls_note_starttls_offer | bool | ternary('yes', 'no') }}
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this is only used when a postfix_relayhost is configured and if postfix_relaytls

@theel0ja
@agimenez

Copy link
Member Author

@tersmitten tersmitten May 17, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to use it without those options, you can do something like this:

postfix_raw_options:
  - |
    smtp_use_tls = {{ postfix_smtp_tls_security_level != 'none' | ternary('yes', 'no') }}
    smtp_tls_security_level = {{ postfix_smtp_tls_security_level}}

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or do you guys think it should be outside the if's

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd leave it inside the if, since for some reason someone may want not to use TLS, so flexibility is fine here IMO.

But I'd switch smtp_use_tls completely, as since 2.3, the recommended variable is smtp_tls_security_level instead (I am not sure anyone wants to use older versions in a critical piece of software like an SMTP server).

It depends on whether you want to potentially break old installations or not.

@tersmitten tersmitten mentioned this pull request May 17, 2020
Merged
@tersmitten tersmitten modified the milestones: 2.12.0, 3.1.0 May 18, 2020
@tersmitten tersmitten modified the milestones: 3.1.0, 3.3.0 Dec 30, 2020
@tersmitten tersmitten merged commit 4d2f67a into master Dec 30, 2020
@tersmitten tersmitten deleted the pr-80 branch December 30, 2020 22:27
@tersmitten tersmitten mentioned this pull request Dec 22, 2021
Open
jchrisweaver pushed a commit to weaverconsultingllc/ansible-postfix that referenced this pull request Jun 21, 2024
@tersmitten
Merge pull request Oefenweb#83 from Oefenweb/pr-80
1444840 
Encrypt outgoing messages (relayed) with STARTTLS by default
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agimenez agimenez agimenez left review comments

Assignees

@tersmitten tersmitten

Labels
enhancement
Projects
None yet
Milestone
3.3.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tersmitten @agimenez @theel0ja