From bfe88e1ca1fb6b812f2e44b9fded31cb4bc41076 Mon Sep 17 00:00:00 2001
From: Mar Alegre <mar@mar.alemor.org>
Date: Mon, 26 Apr 2021 13:24:22 -0400
Subject: [PATCH] added outgoing mail encryption to mailsrv

---
 mailsrv/assets/postfix/main.cf.part | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/mailsrv/assets/postfix/main.cf.part b/mailsrv/assets/postfix/main.cf.part
index 4e3f23a..b6279b1 100644
--- a/mailsrv/assets/postfix/main.cf.part
+++ b/mailsrv/assets/postfix/main.cf.part
@@ -28,13 +28,19 @@ local_transport = dovecot
 # set recipient limit to 1 so X-Original-To header addition will work
 dovecot_destination_recipient_limit = 1
 
-### SMTP ###
-# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
-# information on enabling SSL in the smtp client.
-smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+### Outgoing Mail ###
+# enable opportunistic TLS for outgoing mail
+smtp_tls_security_level = may
 smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
-# whether to allow or enforce TLS. Acceptable values are 'none', 'may', or 'encrypt'.
-smtpd_tls_security_level=may
+# log whether connection has completed encryption handshake
+smtp_tls_loglevel = 1
+
+### Incoming Mail ###
+# enable opportunistic TLS for incoming mail
+smtpd_tls_security_level = may
+smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
+# prevent sending passwords over unsecured connections
+smtpd_tls_auth_only = yes
 # where to find certs
 smtpd_tls_cert_file=/vol/ssl/fullchain.pem
 smtpd_tls_key_file=/vol/ssl/privkey.pem
@@ -45,8 +51,6 @@ smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 # and the common settings to enable SASL:
 smtpd_sasl_auth_enable = yes
-
-### Security ###
 # these settings apply to BOTH authenticated and unauthenticated mail
 # for security settings for only authenticated mail, use options in master.cf
 smtpd_delay_reject = yes
@@ -75,4 +79,4 @@ biff = no
 # fresh installs.
 compatibility_level = 2
 # maximum size allowed for sent messages, in bytes
-message_size_limit = 33554432
+message_size_limit = 102400000