Commits

Zhang Huangbin committed 15a5602

Enable Opportunistic TLS support in Postfix when sending mail to remote SMTP server (smtp_tls_security_level=may).
Thanks kotso <admin _at_ co.ge> and vlastikcz for the report.

Comments (0)

Files changed (3)

iRedMail/ChangeLog

 iRedMail-0.8.6:
+    * Enable Opportunistic TLS support in Postfix when sending mail to remote
+      SMTP server (smtp_tls_security_level=may).
+      Thanks kotso <admin _at_ co.ge> and vlastikcz for the report.
     * Works on openSUSE-13.1 milestone 4.
     * Switch from Policyd-1.8 to Cluebringer on all Linux/BSD distributions,
       with easier white/black/greylisting management.

iRedMail/functions/postfix.sh

     postconf -e smtpd_reject_unlisted_recipient='yes'
     postconf -e smtpd_reject_unlisted_sender='yes'
 
+    # Opportunistic TLS, used when Postfix sends email to remote SMTP server.
+    # Use TLS if this is supported by the remote SMTP server, otherwise use
+    # plaintext.
+    # References:
+    #   - http://www.postfix.org/TLS_README.html#client_tls_may
+    #   - http://www.postfix.org/postconf.5.html#smtp_tls_security_level
+    postconf -e smtp_tls_security_level='may'
+    postconf -e smtp_tls_loglevel='0'
+    # Use the same CA file as smtpd.
+    postconf -e smtp_tls_CAfile='$smtpd_tls_CAfile'
+    #postconf -e smtp_tls_note_starttls_offer='yes'
+
     # Sender restrictions
     postconf -e smtpd_sender_restrictions="permit_mynetworks, reject_sender_login_mismatch, permit_sasl_authenticated"
 
     # We use 'maildir' format, not 'mbox'.
     if [ X"${MAILBOX_FORMAT}" == X"Maildir" ]; then
         postconf -e home_mailbox="Maildir/"
-    else
-        :
     fi
+
     postconf -e maximal_backoff_time="4000s"
 
     # Allow recipient address start with '-'.

iRedMail/samples/cluebringer_extra.sql

 
 -- Add new column: policy_group_members.Type.
 -- It's used to identify record type/kind in iRedAdmin-Pro, for easier
--- management.
+-- management of white/blacklists.
 --
 -- Samples:
 --   - Type=ip: value of `Member` is an IP address or CIDR range
 --   - Type=domain: a valid domain name
 --
 -- We can use multiple policies for different types, but it bringer more SQL
--- queries for each policy request, this is not a good idea since Cluebringer
--- is used to process every in/out SMTP session.
+-- queries for each policy request, this is not a good idea for performance
+-- since Cluebringer is used to process every in/out SMTP session.
 ALTER TABLE policy_group_members ADD COLUMN Type VARCHAR(10) NOT NULL DEFAULT '';
 CREATE INDEX policy_group_members_type ON policy_group_members (Type);
 CREATE INDEX policy_group_members_policygroupid_type ON policy_group_members (PolicyGroupID, Type);