I see that smtpd_tls_security_level was added but the corresponding smtp setting (smtp_tls_security_level) is missing. This is required when setting up Gmail as a smarthost and needs to be set to encrypt although may might also work. I haven't had a chance to test it.
Manually adding the setting to main.cf allows connection to Gmail.
@ctgreybeard
The best, most secure, default values are:
smtp_tls_security_level = dane
smtpd_tls_security_level = encrypt #For public mail server MTA set this value to "may" to comply with RFC2487.
smtp_dns_support_level = dnssec
This was supposed to have been fixed already, see issue #503
As for the settings, I just used what Gmail suggested. As that is probably the only host I will send mail through (because it's the Smarthost) then what they suggest is what I'll use. The issue (easily remedied) is that the GUI does not have an option to set that config setting. It does have the corresponding one for SMTPD but not for the client. It's not clear to me that #503 addresses the lack.
@ctgreybeard
You're free to set smtp_tls_security_level = encrypt as google suggested, but realize that's only the minimal security level, and only it prevents the most primitive passive wiretapping of your email.
The best preferred default value is smtp_tls_security_level = dane which prevents active/intentional wiretapping of your email.
Ref: https://blog.verisign.com/security/how-dane-strengthens-security-for-tls-smime-and-other-applications/
Thanks for that explanation, I will look to change that setting.
But the point of the issue is not the value but that the setting is not available at all in the GUI.
It should be added in the gui and made available by the core if not already. Was possibly an oversight, the parameter name is almost identical.
I'll add config options for the SMTP client TLS level.
Thank you. I would do it myself but I've just gotten familiar with webmin and wouldn't be comfortable doing that yet.
Most helpful comment
I'll add config options for the SMTP client TLS level.