J’utilise la version de Debian bullseye, à savoir la 3.4.14.
C’est possible, en vrai, c’est une vieille configuration, quand je change de version, je regarde les messages d’erreur pour mettre à jour la configuration, mais comme je n’en ai pas eu pour ça, je n’ai rien touché.
Si le serveur distant ne prend pas en charge TLS, ça veut dire que l’e-mail est envoyé en clair ? Si c’est le cas, je préfère que mon e-mail ne soit pas envoyé et que j’aie une erreur.
┌ (almtesh@mail + 0) (02/07/22 - 9:13:25) (1.33 - 0%) (~)
└% postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
anvil_status_update_time = 7200
append_dot_mydomain = no
biff = no
bounce_queue_lifetime = 7d
broken_sasl_auth_clients = yes
default_destination_concurrency_limit = 1
dovecot_destination_recipient_limit = 1
inet_interfaces = all
inet_protocols = all
initial_destination_concurrency = 1
mailbox_size_limit = 0
maximal_queue_lifetime = 7d
message_size_limit = 536870912
milter_default_action = accept
milter_protocol = 2
mydestination = localhost
myhostname = mail.almtesh.net
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
myorigin = /etc/mailname
non_smtpd_milters = $smtpd_milters
readme_directory = no
recipient_delimiter = +
relayhost =
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, permit
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname, reject_invalid_hostname, permit
smtpd_milters = inet:localhost:8891
smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination, reject_non_fqdn_hostname, reject_non_fqdn_sender, reject_unauth_pipelining, reject_invalid_hostname, check_policy_service unix:private/policy-spf , permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_sender_domain, permit
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/certs/mail.almtesh.net.pem
smtpd_tls_key_file = /etc/ssl/private/mail.almtesh.net.key
smtpd_tls_mandatory_exclude_ciphers = LOW, DES, MD5, RC4, aNULL
smtpd_tls_mandatory_protocols = TLSv1, SSLv3
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
virtual_alias_maps = mysql:/etc/postfix/mysql/virtual-alias-maps.cf
virtual_gid_maps = static:8
virtual_mailbox_domains = mysql:/etc/postfix/mysql/virtual-mailbox-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql/virtual-mailbox-maps.cf
virtual_transport = dovecot
virtual_uid_maps = static:8
┌ (almtesh@mail + 0) (02/07/22 - 9:13:38) (1.80 - 0%) (~)
└%
Mais, du coup, si le serveur DNS qui résout le nom de domaine de destination ne prend pas en charge le DNSSEC (ou qu’il n’est pas configuré), ça ne fonctionnera pas ?
Par ailleurs, cette machine a pour serveur DNS un dnsmasq
pour le cache et un unbound
pour la résolution en mode récursif, il me semble avoir activé le support du DNSSEC pour les deux, mais je ne sais pas comment le tester.