[prev in list] [next in list] [prev in thread] [next in thread]
List: postfix-users
Subject: Re: CMD tool to check if next SMTP hop can use TLS for messages?
From: wietse () porcupine ! org (Wietse Venema)
Date: 2009-11-27 23:55:08
Message-ID: 20091127235508.913461F3EA6 () spike ! porcupine ! org
[Download RAW message or body]
Harakiri:
> > 1) Configure the Postfix SMTP client to REQUIRE TLS.
> >
> > ? ? smtp_tls_security_level=encrypt
>
> no - as i said, my filer has own rules and can be based on recipient, sender, or a \
> combination of both - postfix cant do this, or at least not without different \
> policy servers
> >
> > 2) Configure the Postfix SMTP server to reject mail that
> > ???cannot be delivered via SMTP-over-TLS.
> >
> > ? ? smtpd_recipient_restrictions =
> > ??? reject_unverified_recipient
> > ??? permit_mynetworks
> > ??? reject_unauth_destination
>
> again, doesnt work - as i said i want this policy based in an existing filter - \
> therefor i asked for a CMD app to check the existing of TLS myself
Given this:
> I know about all the difficulties with MX lookup etc, the original
> goal would be - that i have a policy for external domains - and
> that for certain domains a message should only be sent if TLS is
> available - if a message to a certain domain is sent which does
> not support TLS - it should be blocked -
You can configure reject_unverified_recipient to use a message
delivery transport that requires TLS, even when normal mail deliveries
don't require it:
/etc/postfix/main.cf:
address_verify_transport_maps = hash:/etc/postfix/verify_transport
/etc/postfix/verify_transport:
example.com smtp-tls-required:
/etc/postfix/master.cf:
smtp-tls-required unix - - - - - smtp
-o smtp_tls_security_level=encrypt
Then, you can invoke reject_unverified_recipient SELECTIVELY
for the domains that need TLS.
Wietse
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic