I run a SSL/TLS mail server with Postfix and Dovecot over SMTPS (465) and IMAPS (993).
Unencrypted connections do not work and there is no fallback.
Every time I restart Postfix I get the message "using backwards-compatible default setting chroot=y".
For the entries for smtps and submission respectively. Is something wrong configured here, or do you configure these entries differently?
Warning
postfix[13334]: To disable backwards compatibility use "postconf compatibility_level=2" and "postfix reload"
postfix/postfix-script[13434]: starting the Postfix mail system
postfix/master[13436]: /etc/postfix/master.cf: line 8: using backwards-compatible default setting chroot=y
postfix/master[13436]: /etc/postfix/master.cf: line 15: using backwards-compatible default setting chroot=y
postfix/master[13436]: daemon started -- version 3.1.9, configuration /etc/postfix
Config
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
Best Answer
This has actually nothing to do with TLS / SSL.
Given your log entries I presume you have updated postfix from main version 2 to 3 at some point in time.
Your config in master.cf still sets a chroot for the Postfix queue directory, which simply is no longer the default, hence the entries in your log.
It is explained in the section
"Using backwards-compatible default setting chroot=y"
of the respective README at
http://www.postfix.org/COMPATIBILITY_README.html.