Enable opportunistic TLS for outgoing messages

Google apparently wants people to use it (and admittedly it seems like a good
idea). Trying to use TLS to talk to SpamAssassin seems to get messages stuck in
queue, so disable it when talking to 127.0.0.1:10025 (SpamAssassin), which
admittedly shouldn't be very vulnerable to eavesdropping.

diff --git a/main.cf b/main.cf
index f28dd16823f14b85ab0959ed1f60e97865f6dbcd..a30172d9f71e651627fb03ca89fc9241ed267fe5 100644 (file)
--- a/main.cf
+++ b/main.cf
@@ -289,6 +289,16 @@ smtpd_tls_auth_only = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
+# Apparently TLS for the client (outgoing mail) isn't the default prior to
+# compat level 3.11, for whatever reason
+
+smtp_tls_security_level = may
+smtp_tls_policy_maps = inline:{
+    # This is SpamAssassin/spampd, which doesn't support TLS, and checking
+    # seems to cause delays
+    {127.0.0.1:10025 = none},
+  }
+
 # Milter configuration
 # Based on https://www.linode.com/docs/guides/configure-spf-and-dkim-in-postfix-on-debian-9/#testing-postfix-dkim-on-debian-9-with-a-gmail-test
 # http://www.opendkim.org/opendkim-README