Skip to content

enable_tls

Controls whether and how TLS will be used when connecting to the destination.

Note

This setting is overriden by enable_mta_sts and/or enable_dane when either of those options are enabled and an MTA-STS or DANE policy (respectively) is published by the destination site.

Possible values are:

  • "Opportunistic" - use TLS if advertised by the EHLO response. If the peer has invalid or self-signed certificates, then the delivery will fail. KumoMTA will NOT fallback to not using TLS on that same host.

  • "OpportunisticInsecure" - use TLS if advertised by the EHLO response. Validation of the certificate will be skipped. Not recommended for sending to the public internet; this is intended for local or lab testing scenarios.

  • "Required" - Require that TLS be advertised in the EHLO response. The remote host must have valid certificates in order to deliver to the site.

  • "RequiredInsecure" - Require that TLS be advertised in the EHLO response. Validation of the certificate will be skipped. Not recommended for sending to the public internet; this is intended for local or lab testing scenarios.

  • "Disabled" - do not try to use TLS.

The default value is "Opportunistic".

kumo.on('get_egress_path_config', function(domain, source_name, site_name)
  return kumo.make_egress_path {
    enable_tls = 'Opportunistic',
  }
end)