Loading ...
Sorry, an error occurred while loading the content.
 

Re: SMTPD TLS policy by Client IP ?

Expand Messages
  • Victor Duchovni
    ... Yep, put the IPs in a cidr: table, and off you go. This is only a band-aid of course, TLS policy is up to the sender, a misconfigured sender gateway can
    Message 1 of 3 , Oct 28, 2010
      On Thu, Oct 28, 2010 at 02:48:11PM -0500, Noel Jones wrote:

      >> However for incoming mail it looks like
      >> "smtpd_tls_security_level" it is all or none on enforcement of
      >> encryption.
      >> Does such a control exist?
      >
      > You can use a check_client_access maps with "reject_plaintext_session"
      > action.
      > http://www.postfix.org/postconf.5.html#reject_plaintext_session

      Yep, put the IPs in a "cidr:" table, and off you go. This is only
      a band-aid of course, TLS policy is up to the sender, a misconfigured
      sender gateway can send the mail to the wrong place, with or without
      encryption.

      http://www.postfix.org/TLS_README.html#client_tls_limits

      Maintaining lists of peer IPs on which to enforce TLS is a pain, I
      don't recommend this unless the IPs at the other end are also yours.

      --
      Viktor.
    Your message has been successfully submitted and would be delivered to recipients shortly.