From c730ec37f0fd78e6089efed96f20557e1177145e Mon Sep 17 00:00:00 2001
From: Alex Palaistras <alex@deuill.org>
Date: Sun, 19 Sep 2021 13:30:06 +0100
Subject: [PATCH] postfix: Use strict encryption for SMTPS, Submission

The SMTPS (465) And Submission (587) ports expect encryption, either
implicitly (i.e. via direct TLS connection) or explicitly (i.e. via
STARTTLS), but this was not enforced previously. Port 25 remains
configured for opportunistic encryption, but will still not allow for
authentication over unencrypted transports.
---
 config/service/postfix/container/config/master.cf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/config/service/postfix/container/config/master.cf b/config/service/postfix/container/config/master.cf
index 43e19a0..8c419dd 100644
--- a/config/service/postfix/container/config/master.cf
+++ b/config/service/postfix/container/config/master.cf
@@ -6,8 +6,8 @@
 #                (yes)   (yes)   (no)    (never) (100)
 # ==========================================================================
 smtp       inet  n       -       n       -       -       smtpd
-smtps      inet  n       -       n       -       -       smtpd
-submission inet  n       -       n       -       -       smtpd
+smtps      inet  n       -       n       -       -       smtpd -o smtpd_tls_wrappermode=yes
+submission inet  n       -       n       -       -       smtpd -o smtpd_tls_security_level=encrypt
 pickup     unix  n       -       n       60      1       pickup
 cleanup    unix  n       -       n       -       0       cleanup
 qmgr       unix  n       -       n       300     1       qmgr