I want to use traefik as TCP Router using self updating Let’s encrypt Certificates (beside much other HTTPS stuff) for routing / SSL-terminating SMTP Traffic to Univentions Postfix.
Therefore traefik seems only to be able to speak unencrypted to Univentions Postfix, so it terminates SSL Connections for SMTP (MailClient --> SSL to Port 465 at traefik --> unencrypted to Port 587 at Univention Postfix).
So I first set the UCR Var “mail/postfix/mastercf/options/submission/smtpd_enforce_tls” to “no”, so that Port 587 can be unencrypted.
The last thing to do is to set the postfix option “smtpd_tls_auth_only” to “no” so that Postfix asks for authentication (which comes from traefik) over unencrypted traffic, too. Otherwise one gets “Relay access denied” as the Mail Client isn’t asked to authenticate, as this is forbidden unencryptedly with this option.
This option is in “/etc/univention/templates/files/etc/postfix/main.cf.d/60_tls” and hardcoded to “yes”.
There I could set it to “no”, do an “ucr commit /etc/postfix/main.cf”, and everything works as it should. But after the next Univention upgrade the template will of course be replaced.
I just found out, how to extend config templates by adding and registering own config file template snippets… but how do I REPLACE a line which is already existing in Univentions own templates?
Thx for any hint!