I can't for the life of me understand why ZCS does not ship with the following Postfix configuration option set to "may" and why it is cleared after an upgrade!
I'd file a bug report but want to make sure other users experience this as well.
zimbra@host:~$ postconf smtp_tls_security_level
zimbra@host:~$ zmlocalconfig postfix_smtp_tls_security_level
Warning: null valued key 'postfix_smtp_tls_security_level'
Or is there a good reason for SENDING ALL OUTGOING EMAIL IN CLEARTEXT even if the receiving smtpd server supports SSL / TLS ?
Is this happening for anyone else?
Is it like this only in the OSE?
To enable opportunistic TLS for the Postfix SMTP client (smtp):
The first line above enables opportunistic TLS, i.e. if the receiving smtpd server supports TLS/SSL, message delivery to that server will be encrypted, otherwise it will be sent in cleartext - hence opportunistic.
zimbra@host:~$ zmlocalconfig -e postfix_smtp_tls_security_level=may
zimbra@host:~$ postconf -e smtp_tls_CAfile=/opt/zimbra/zimbramon/lib/Mozilla/CA/cacert.pem
zimbra@host:~$ postconf -e smtp_tls_loglevel=1
Note: Zimbra's config (re)writer recognises this configuration option and will transpose it in to main.cf (after removing the postfix_ prefix) and reload postfix configuration automatically.
The second line isn't strictly needed but should be executed so that Postfix can 'trust' other smtpd server's certificates (looks better in logs). If it can't 'trust' them, encryption still occurs but as 'untrusted'.
The third line, so you can monitor /var/log/zimbra.log to make sure TLS is being used on outgoing emails.
Note: The latter configuration options are NOT recognised by Zimbra's config (re)writer hence why you must use postconf rather than zmlocalconfig - which means you'll have to do this all over again after upgrade - until this is fixed!
You should now see this in your logs when you send an email from ZCS:
Am I going mad?
May 13 12:11:10 host postfix/smtp: Trusted TLS connection established to mail.example.com[xx.xx.xx.xx]:25: TLSv1.2 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)