Viktor Dukhovni via Postfix-users:
> On Wed, Mar 18, 2026 at 03:27:04PM +0000, Andrew Beverley via Postfix-users
> wrote:
>
> > Next question: can I use a header in the transport map instead of the
> > sender...? Or any other parameters for that matter?
> >
> > I am looking for a way to mandate onward delivery via enforced TLS,
> > stipulated from a client that is delivering to Postfix. I guess I
> > could set up a custom socket in master.cf, which would probably work
> > for me, although it would be good to know if there are any other
> > options (specifically with a header in the email).
>
> If you're running Postfix 3.11 (released 2026-03-05), then with the
> default:
>
> requiretls_enable = yes
> requiretls_esmtp_header = yes
>
> TLS will be enforced if the incoming message headers include:
>
> Require-TLS-ESMTP: yes
>
> Or if it is added by an smtpd(8) by matching a
>
> some-lookup-key PREPEND Require-TLS-ESMTP: yes
>
> rule in an access(5) table. Such as:
>
> main.cf:
> smtpd_client_restrictions =
> check_client_access cidr:{
> {192.0.2.0/24 PREPEND Require-TLS-ESMTP: yes}
> }
>
> or
>
> master.cf:
> # For a suitable IP and/or port
> smtp inet n - n - - smtpd
> -o { smtpd_client_restrictions =
> check_client_access cidr:{
> {192.0.2.0/24 PREPEND Require-TLS-ESMTP: yes}
> } }
Caution: this requires *authenticated* TLS, i.e. DANE, MTA-STS, or
equivalent. It is part of the Postfix REQUIRETLS implementation
(the REQUIRETLS extension in ESMTP is defined in RFC 8689).
https://www.postfix.org/REQUIRETLS_README.html
Wietse
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
