Loading ...
Sorry, an error occurred while loading the content.
 

Re: CMD tool to check if next SMTP hop can use TLS for messages?

Expand Messages
  • Wietse Venema
    ... You can configure reject_unverified_recipient to use a message delivery transport that requires TLS, even when normal mail deliveries don t require it:
    Message 1 of 8 , Nov 27, 2009
      Harakiri:
      > > 1) Configure the Postfix SMTP client to REQUIRE TLS.
      > >
      > > ? ? smtp_tls_security_level=encrypt
      >
      > no - as i said, my filer has own rules and can be based on recipient, sender, or a combination of both - postfix cant do this, or at least not without different policy servers
      >
      > >
      > > 2) Configure the Postfix SMTP server to reject mail that
      > > ???cannot be delivered via SMTP-over-TLS.
      > >
      > > ? ? smtpd_recipient_restrictions =
      > > ??? reject_unverified_recipient
      > > ??? permit_mynetworks
      > > ??? reject_unauth_destination
      >
      > again, doesnt work - as i said i want this policy based in an existing filter - therefor i asked for a CMD app to check the existing of TLS myself

      Given this:

      > I know about all the difficulties with MX lookup etc, the original
      > goal would be - that i have a policy for external domains - and
      > that for certain domains a message should only be sent if TLS is
      > available - if a message to a certain domain is sent which does
      > not support TLS - it should be blocked -

      You can configure reject_unverified_recipient to use a message
      delivery transport that requires TLS, even when normal mail deliveries
      don't require it:

      /etc/postfix/main.cf:
      address_verify_transport_maps = hash:/etc/postfix/verify_transport

      /etc/postfix/verify_transport:
      example.com smtp-tls-required:

      /etc/postfix/master.cf:
      smtp-tls-required unix - - - - - smtp
      -o smtp_tls_security_level=encrypt

      Then, you can invoke reject_unverified_recipient SELECTIVELY
      for the domains that need TLS.

      Wietse
    Your message has been successfully submitted and would be delivered to recipients shortly.