From e8933c455f9eb4217cbb3461a6b603f26bb9cccd Mon Sep 17 00:00:00 2001
From: link2xt <link2xt@testrun.org>
Date: Mon, 23 Mar 2026 20:32:57 +0100
Subject: [PATCH] fix: set default smtp_tls_security_level to "verify"
 unconditionally

This change was accidentally added in cf96be2cbbf30c01afd1ec26c4ade51e342dab5b
Relay should not stop validating TLS certificates of other relays
just because it has a self-signed or externally managed certificate.
Externally managed certificate is likely to even be valid.
---
 cmdeploy/src/cmdeploy/postfix/main.cf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmdeploy/src/cmdeploy/postfix/main.cf.j2 b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
index 9a9ca20b..cbae0f27 100644
--- a/cmdeploy/src/cmdeploy/postfix/main.cf.j2
+++ b/cmdeploy/src/cmdeploy/postfix/main.cf.j2
@@ -20,7 +20,7 @@ smtpd_tls_key_file={{ config.tls_key_path }}
 smtpd_tls_security_level=may
 
 smtp_tls_CApath=/etc/ssl/certs
-smtp_tls_security_level={{ "verify" if config.tls_cert_mode == "acme" else "encrypt" }}
+smtp_tls_security_level=verify
 # Send SNI extension when connecting to other servers.
 # <https://www.postfix.org/postconf.5.html#smtp_tls_servername>
 smtp_tls_servername = hostname