In fairness, things like postfix usually ship with very poor (not to say “moronic”) defaults.
Like, postfix won’t even try to connect to tls-enabled smtp for outgoing email by default, and you have to explicitly point it at the certificate bundle it’s supposed to consider valid.
And you have to tell explicitly to reject incoming plaintext connections from the public internet.
And quite a bit more… Like, why doesn’t postfix have its own freaking spf/dkim implementation BUILT IN?
Mandatory TLS encryption: announce STARTTLS support to remote SMTP clients, and require that clients use TLS encryption. According to RFC 2487 this MUST NOT be applied in case of a publicly-referenced SMTP server. Instead, this option should be used only on dedicated servers.
"
Like, postfix won’t even try to connect to tls-enabled smtp for outgoing email by default, and you have to explicitly point it at the certificate bundle it’s supposed to consider valid.
And you have to tell explicitly to reject incoming plaintext connections from the public internet.
And quite a bit more… Like, why doesn’t postfix have its own freaking spf/dkim implementation BUILT IN?