Thanks for your response.
I did play with this threshold but it does only slow down the interval between reboots actually. It does not solve the underlying problem the settings generates. It indeed would allow to trick watchdog not to freak out so much, but it would not disable postfix monitoring anyway and would have the consequence of generating a pile of useless logs (might also use drives prematurely for not so much benefits).
You would also like you said need to find a way to setup external monitoring built for this purpose.
I dug up a little bit into what’s working and what’s not and it seem seems that apart from watchdog, at least SoGo is not working. (not a big deal for me since I use Thunderbird + Nextcloud Combo (webmail, contacts and agenda)) but since it’s an advertised and useful functionnality, especially for whose using outlook with ActiveSync, I guess it still needs to work for other people.
I’m not a postfix specialist. Last time I set up my own mail server was about 13 years ago and it was not a good setup since I didn’t know anything about mail servers, DNS or Linux at the time (good old school time when you set up Team Speak Server that gets hijacked one month later because you did run it as root…).
But from what I see in master.cf and main.cf, I’m sure that security is not really an issue there since Postfix is set up to be available without TLS encryption only on locally available networks on the server itself.
I actually did some testing with Thunderbird and I think TLS is actually already a requirement, just not globally enforced and tools like checktls, immuniweb, etc. don’t combine availability with real life pentests and separate policy availability that is reported from real security check.
Well I guess that’s why it’s reported as a warning and not a critical issue on both tools anyway.
I’m not sure I even want to bother the dev team with this since it’s does not seem to be a real issue anyway now that I understand better what and how it’s done.
I think it could technically be done to enforce TLS everywhere but it would involve too much changes for too few benefits.