0

I swear they changed this in the last year or two, but as of 2017-11-20, the SES developer guide for Postfix recommends setting up TLS via stunnel. This seems odd to me, considering that Postfix can already do TLS if you just add these lines to main.cf:

smtp_use_tls = yes
smtp_tls_security_level = encrypt
smtp_tls_note_starttls_offer = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

In fact, I'm pretty sure I originally got the above configuration options from a previous version of the SES docs. Why did they change this?

Mike Conigliaro
  • 3,105
  • 2
  • 24
  • 24
  • I recall recently seeing that and wondering the same thing, since as you point out, it's unnecessary. Stranger still, I see no reference to stunnel on that page at the moment. Check it again? Maybe some old content got inadvertently published and subsequently reverted. – Michael - sqlbot Nov 21 '17 at 01:34
  • @Michael-sqlbot I just checked the page again, and you're right! The stunnel stuff is gone now. – Mike Conigliaro Nov 21 '17 at 01:39

1 Answers1

1

It could be realted to

Postfix < 3.0 Although older Postfix SMTP client versions do not support TLS wrapper mode, it is relatively easy to forward a connection through the stunnel program if Postfix needs to deliver mail to some legacy system that doesn't support STARTTLS.

But you can avoid of using stunnel with postfix 3.0+

http://www.postfix.org/postconf.5.html#smtp_tls_wrappermode

Also according to the http://www.postfix.org/announcements/postfix-3.1.4.html only 2.11 currently supported (as legacy release) from 2.x branches

ALex_hha
  • 7,025
  • 1
  • 23
  • 39