#TLS settings
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_starttls_timeout = 300s
smtpd_timeout = 300s
@!@
fqdn = '%s.%s' % (baseConfig.get('hostname'), baseConfig.get('domainname'))
print 'smtpd_tls_cert_file = %s' % baseConfig.get('mail/postfix/ssl/certificate', '/etc/univention/ssl/%s/cert.pem' % fqdn)
print 'smtpd_tls_key_file = %s' % baseConfig.get('mail/postfix/ssl/key', '/etc/univention/ssl/%s/private.key' % fqdn)
if baseConfig.get('mail/postfix/ssl/cafile'):
	print 'smtpd_tls_CAfile = %s' % baseConfig['mail/postfix/ssl/cafile']
if baseConfig.get('mail/postfix/ssl/capath'):
	print 'smtpd_tls_CApath = %s' % baseConfig['mail/postfix/ssl/capath']
@!@
smtpd_tls_received_header = no
smtpd_tls_session_cache_timeout = 3600s

tls_random_source = dev:/dev/urandom
smtpd_sasl_auth_enable = yes

smtpd_sasl_local_domain =

smtpd_sasl_security_options = noanonymous

# smtp client
@!@
print 'smtp_tls_security_level = %s' % baseConfig.get('mail/postfix/tls/client/level', 'none')
@!@

# Support broken clients like Microsoft Outlook Express 4.x which expect AUTH=LOGIN instead of AUTH LOGIN
broken_sasl_auth_clients = yes

# tls logging
smtp_tls_loglevel = @%@mail/postfix/smtp/tls/loglevel@%@
smtpd_tls_loglevel = @%@mail/postfix/smtpd/tls/loglevel@%@

# EDH config
smtpd_tls_dh1024_param_file = @%@mail/postfix/smtpd/tls/dh1024/param/file@%@
smtpd_tls_dh512_param_file = @%@mail/postfix/smtpd/tls/dh512/param/file@%@

# use the Postfix SMTP server's cipher preference order instead of the remote client's cipher preference order. 
tls_preempt_cipherlist = @%@mail/postfix/tls/preempt/cipherlist@%@

# The Postfix SMTP server security grade for ephemeral elliptic-curve Diffie-Hellman (EECDH) key exchange
smtpd_tls_eecdh_grade = @%@mail/postfix/smtpd/tls/eecdh/grade@%@

