From 9bf93a731e2d76bb84387eaf270c67c07a424699 Mon Sep 17 00:00:00 2001
From: "Jan Alexander Steffens (heftig)" <heftig@archlinux.org>
Date: Wed, 26 May 2021 19:27:52 +0200
Subject: [PATCH] postfix: Don't allow TLS on localhost:smtp

The certificate won't be valid, anyway. Synapse actually fails to send
if the server allows STARTTLS but presents an invalid certificate.
---
 roles/postfix/templates/master.cf.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/postfix/templates/master.cf.j2 b/roles/postfix/templates/master.cf.j2
index 8a71cb624..b256265b9 100644
--- a/roles/postfix/templates/master.cf.j2
+++ b/roles/postfix/templates/master.cf.j2
@@ -18,6 +18,7 @@ smtp      inet  n       -       n       -       -       smtpd
     -o smtpd_proxy_options=speed_adjust
 {% else %}
 localhost:smtp      inet  n       -       n       -       -       smtpd
+    -o smtpd_tls_security_level=none
 {% endif %}
 
 {% if postfix_server %}
-- 
GitLab