change smtp tls default policy to *secure* to avoid falling back to insecure policy when missing entries in map

README.md

@@ -15,9 +15,7 @@ sudo docker run --detach --rm \
     --publish 127.0.0.1:25:25 \
     --restart unless-stopped \
     --name postfix \
-    fphammerle/postfix:3.3.0-amd64-relay
+    fphammerle/postfix:3.3.0-amd64-relay-secure
 ```
 
 optional: enable usernamespace mode via daemon option `userns-remap`
-
-TODO: investigate why postfix won't verify `$relayhost` against `$smtp_tls_policy_maps`

main.cf

@@ -10,8 +10,9 @@ smtpd_tls_received_header = yes
 smtpd_sasl_authenticated_header = yes
 
 # CLIENT
-smtp_tls_security_level = dane
+smtp_tls_security_level = secure
-# exceptions for smtp servers not providing DANE
+smtp_tls_secure_cert_match = nexthop
+# exceptions where secure nexthop policy is too strict
 smtp_tls_policy_maps = hash:/etc/postfix/smtp-tls-policy-map
 # trusted CA for exceptions specified in policy map (lvl verify & secure)
 smtp_tls_CAfile = /etc/postfix/smtp-tls-trusted-ca.pem

smtp-tls-policy-map

@@ -1,6 +1,4 @@
 # postmap /etc/postfix/smtp-tls-policy-map
 
-alpaga.hammerle.me	secure match=nexthop
+hammerle.me:smtp	secure match=epignomus.hammerle.me:velo.hammerle.me:alpaga.hammerle.me
-epignomus.hammerle.me	secure match=nexthop
+hammerle.me:submission	secure match=epignomus.hammerle.me:velo.hammerle.me:alpaga.hammerle.me
-velo.hammerle.me	secure match=nexthop
-hammerle.me	secure match=epignomus.hammerle.me:velo.hammerle.me