[prev in list] [next in list] [prev in thread] [next in thread] 

List:       postfix-users
Subject:    Re: SMTPD TLS policy by Client IP ?
From:       Victor Duchovni <Victor.Duchovni () morganstanley ! com>
Date:       2010-10-28 19:57:10
Message-ID: 20101028195710.GT12547 () np305c2n2 ! ms ! com
[Download RAW message or body]

On Thu, Oct 28, 2010 at 02:48:11PM -0500, Noel Jones wrote:

>> However for incoming mail it looks like
>> "smtpd_tls_security_level" it is all or none on enforcement of
>> encryption.
>> Does such a control exist?
>
> You can use a check_client_access maps with "reject_plaintext_session" 
> action.
> http://www.postfix.org/postconf.5.html#reject_plaintext_session

Yep, put the IPs in a "cidr:" table, and off you go. This is only
a band-aid of course, TLS policy is up to the sender, a misconfigured
sender gateway can send the mail to the wrong place, with or without
encryption.

	http://www.postfix.org/TLS_README.html#client_tls_limits

Maintaining lists of peer IPs on which to enforce TLS is a pain, I
don't recommend this unless the IPs at the other end are also yours.

-- 
	Viktor.
[prev in list] [next in list] [prev in thread] [next in thread]