King0770-Notes-smtp tls policy maps
The contents of this article are not yet complete and should be considered highly experimental.
By default, Zimbra has never modified smtp_tls_policy_maps, so adding smtp_tls_policy_maps would be considered a custom change. However, using the zimbra account, you could add the following to the /opt/zimbra/conf/zmconfigd.cf file; right above the RESTART mta line.
POSTCONF smtp_tls_policy_maps lmdb:/opt/zimbra/conf/tls_policy
Then restart the MTA to pick up the changes.
zmmtactl restart
Then check it as the zimbra user...
postconf | grep smtp_tls_policy_maps
smtp_tls_policy_maps = lmdb:/opt/zimbra/conf/tls_policy <<== Should see this
Make sure to run postmap against the /opt/zimbra/conf/tls_policy file; use "lmdb" not "hash"
postmap /opt/zimbra/conf/tls_policy
Make sure to double check the smtp_tls_security_level setting as well
postconf | grep smtp_tls_security_level
smtp_tls_security_level options
may TLS? good. no TLS? good.
encrypt accept any invalid server certificate, demands encryption.
verify accept trusted server certificate (do I trust the CA? does the CN match the MX?), demands encryption.
secure only accept trusted certificate if CN/SAN matches the recipient domain - and ignore insecure (MX) information for validation.
Changes to the zmconfigd.cf will NOT survive upgrades.
Notable RFE: https://bugzilla.zimbra.com/show_bug.cgi?id=108691
Additional Info: http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps