On Wed, Mar 18, 2026 at 03:27:04PM +0000, Andrew Beverley via Postfix-users
wrote:
> Next question: can I use a header in the transport map instead of the
> sender...? Or any other parameters for that matter?
>
> I am looking for a way to mandate onward delivery via enforced TLS,
> stipulated from a client that is delivering to Postfix. I guess I
> could set up a custom socket in master.cf, which would probably work
> for me, although it would be good to know if there are any other
> options (specifically with a header in the email).
If you're running Postfix 3.11 (released 2026-03-05), then with the
default:
requiretls_enable = yes
requiretls_esmtp_header = yes
TLS will be enforced if the incoming message headers include:
Require-TLS-ESMTP: yes
Or if it is added by an smtpd(8) by matching a
some-lookup-key PREPEND Require-TLS-ESMTP: yes
rule in an access(5) table. Such as:
main.cf:
smtpd_client_restrictions =
check_client_access cidr:{
{192.0.2.0/24 PREPEND Require-TLS-ESMTP: yes}
}
or
master.cf:
# For a suitable IP and/or port
smtp inet n - n - - smtpd
-o { smtpd_client_restrictions =
check_client_access cidr:{
{192.0.2.0/24 PREPEND Require-TLS-ESMTP: yes}
} }
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
