I have a client with Release 8.8.15.GA.3869.UBUNTU18.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P35
The client is a law firm, and the insurance company is pressing them to use "mandatory TLS", by which they seem to mean the Zimbra server will not send to an MX host if the receiver does not successfully negotiate TLS encryption, and the Zimbra server will refuse to accept messages if the TLS "handshake" is not completed.
Currently Zimbra has the postfix setting
Code: Select all
smtpd_tls_security_level = may
I have verified that it does send and receive "opportunistic" TLS email, but it will also both send and accept unencrypted mail.
Yes, the client is happy to have email delivery failures, both inbound and outbound if the message can't be TLS-encrypted.
My attempts to make this happen (enforce TLS) were informed by this typically succinct note on the page "Postfix TLS Support", and resulted in fatal errors in Zimbra (not a big surprise). Sadly, I did not record the exact failure mode, but IIRC, zimbra failed to start.
Evidence of fall-back to unencrypted was gathered from the "testMandatoryTo:" and "testMandatoryFrom:" options at the checkTLS service.You can ENFORCE the use of TLS, so that the Postfix SMTP server announces STARTTLS and accepts no mail without TLS encryption, by setting "smtpd_tls_security_level = encrypt". According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced Postfix SMTP server. This option is off by default and should only seldom be used.
Example:
/etc/postfix/main.cf:
smtpd_tls_security_level = encrypt
https://www.checktls.com/TestReceiver?ASSURETLS
So, where to from here? I feel like I'm missing a big piece of the puzzle.