King0770-Notes-smtp tls policy maps: Difference between revisions
No edit summary |
No edit summary |
||
Line 21: | Line 21: | ||
</pre></code> | </pre></code> | ||
Make sure to run postmap against the /opt/zimbra/conf/tls_policy file; use "lmdb" not "hash" | Make sure to run postmap against the /opt/zimbra/conf/tls_policy file; use <strong>"lmdb"</strong> not "hash" | ||
<code><pre> | <code><pre> | ||
postmap /opt/zimbra/conf/tls_policy | postmap /opt/zimbra/conf/tls_policy |
Revision as of 16:52, 6 December 2017
The contents of this article are not yet complete and should be considered highly experimental.
Changes to the zmconfigd.cf file will NOT survive upgrades.
By default, Zimbra has never modified smtp_tls_policy_maps, so adding smtp_tls_policy_maps would be considered a custom change. However, using the zimbra account, you could add the following to the /opt/zimbra/conf/zmconfigd.cf file; right above the RESTART mta line.
POSTCONF smtp_tls_policy_maps lmdb:/opt/zimbra/conf/tls_policy
Then restart the MTA to pick up the changes.
zmmtactl restart
Then check it as the zimbra user...
postconf grep smtp_tls_policy_maps
smtp_tls_policy_maps = lmdb:/opt/zimbra/conf/tls_policy <<== Should see this
Make sure to run postmap against the /opt/zimbra/conf/tls_policy file; use "lmdb" not "hash"
postmap /opt/zimbra/conf/tls_policy
Make sure to double check the smtp_tls_security_level setting as well
postconf | grep smtp_tls_security_level
Possible smtp_tls_security_level options
may TLS? good. no TLS? good.
encrypt accept any invalid server certificate, demands encryption.
verify accept trusted server certificate (do I trust the CA? does the CN match the MX?), demands encryption.
secure only accept trusted certificate if CN/SAN matches the recipient domain - and ignore insecure (MX) information for validation.
Notable RFE: https://bugzilla.zimbra.com/show_bug.cgi?id=108691
Additional Info: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps