King0770-Notes-smtp tls policy maps

Revision as of 20:15, 5 December 2017 by King0770 (talk | contribs)

|ZCS 8.7 Article ZCS 8.7 |ZCS 9.0 Article ZCS 9.0

The contents of this article are not yet complete and should be considered highly experimental.

By default, Zimbra has never modified smtp_tls_policy_maps, so adding smtp_tls_policy_maps would be considered a custom change. However, using the zimbra account, you could add the following to the /opt/zimbra/conf/ file; right above the RESTART mta line.

POSTCONF smtp_tls_policy_maps        lmdb:/opt/zimbra/conf/tls_policy

Then restart the MTA to pick up the changes.

zmmtactl restart

Then check it as the zimbra user...

postconf | grep smtp_tls_policy_maps
smtp_tls_policy_maps = lmdb:/opt/zimbra/conf/tls_policy      <<== Should see this

Make sure to run postmap against the /opt/zimbra/conf/tls_policy file; use "lmdb" not "hash"

postmap /opt/zimbra/conf/tls_policy

Make sure to double check the smtp_tls_security_level setting as well

postconf | grep smtp_tls_security_level

Possible smtp_tls_security_level options
may TLS? good. no TLS? good.
encrypt accept any invalid server certificate, demands encryption.
verify accept trusted server certificate (do I trust the CA? does the CN match the MX?), demands encryption.
secure only accept trusted certificate if CN/SAN matches the recipient domain - and ignore insecure (MX) information for validation.

Changes to the will NOT survive upgrades.

Notable RFE:

Additional Info:

Jump to: navigation, search