Loading ...
Sorry, an error occurred while loading the content.

291497Enforced TLS per MX

Expand Messages
  • Jan P. Kessler
    Feb 22, 2013
    • 0 Attachment
      Dear list,

      we are trying to establish enforced TLS with a partner that hosts about
      2000 recipient domains. All of these point to the same four MX records:

      host[1-4].example.com

      As I did not want to specify all of these domains in our tls_policy
      file, I wanted to ask if there is any option to enforce TLS by those MX
      addresses.

      I already tried to set up a new instance with the setting
      "smtp_tls_security_level=encrypt" at port 26. On the main instance I
      have set up a restriction that redirects all mails to the partner's MX
      by the following configuration:

      main.cf:
      ----------
      check_recipient_mx_access=pcre:$data_directory/TLSMX.pcre

      $data_directory/TLSMX.pcre:
      -----------------------------------------
      /^host[1-4]\.example.com$/ FILTER smtp:[localhost]:26

      Unfortunately this does not work as expected for multi-recipient mails,
      because the FILTER action affects all recipients (even those to other MX
      destinations):

      recipient1@... --> OK
      recipient2@... --> Fails, because the MX for example.net
      does not offer TLS

      So: Does anybody see a chance to enforce TLS with our partner without
      the requirement to configure all of their recipient domains in the
      tls_policy file?

      Best regards, Jan
    • Show all 7 messages in this topic