From: Alex Dehnert <alex@dehnerts.com>
Date: Sun, 19 Oct 2025 03:08:40 +0000 (+0000)
Subject: Enable opportunistic TLS for outgoing messages
X-Git-Url: https://dehnerts.com/gitweb/?a=commitdiff_plain;h=refs%2Fheads%2Fchankillo;p=sysconfig%2Fpostfix.git

Enable opportunistic TLS for outgoing messages

Google apparently wants people to use it (and admittedly it seems like a good
idea). Trying to use TLS to talk to SpamAssassin seems to get messages stuck in
queue, so disable it when talking to 127.0.0.1:10025 (SpamAssassin), which
admittedly shouldn't be very vulnerable to eavesdropping.
---

diff --git a/main.cf b/main.cf
index f28dd16..a30172d 100644
--- a/main.cf
+++ b/main.cf
@@ -289,6 +289,16 @@ smtpd_tls_auth_only = yes
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
 
+# Apparently TLS for the client (outgoing mail) isn't the default prior to
+# compat level 3.11, for whatever reason
+
+smtp_tls_security_level = may
+smtp_tls_policy_maps = inline:{
+    # This is SpamAssassin/spampd, which doesn't support TLS, and checking
+    # seems to cause delays
+    {127.0.0.1:10025 = none},
+  }
+
 # Milter configuration
 # Based on https://www.linode.com/docs/guides/configure-spf-and-dkim-in-postfix-on-debian-9/#testing-postfix-dkim-on-debian-9-with-a-gmail-test
 # http://www.opendkim.org/opendkim-README