Harakiri: > > 1) Configure the Postfix SMTP client to REQUIRE TLS. > > > > ? ? smtp_tls_security_level=encrypt > > no - as i said, my filer has own rules and can be based on recipient, sender, > or a combination of both - postfix cant do this, or at least not without > different policy servers > > > > > 2) Configure the Postfix SMTP server to reject mail that > > ???cannot be delivered via SMTP-over-TLS. > > > > ? ? smtpd_recipient_restrictions = > > ??? reject_unverified_recipient > > ??? permit_mynetworks > > ??? reject_unauth_destination > > again, doesnt work - as i said i want this policy based in an existing filter > - therefor i asked for a CMD app to check the existing of TLS myself
Given this: > I know about all the difficulties with MX lookup etc, the original > goal would be - that i have a policy for external domains - and > that for certain domains a message should only be sent if TLS is > available - if a message to a certain domain is sent which does > not support TLS - it should be blocked - You can configure reject_unverified_recipient to use a message delivery transport that requires TLS, even when normal mail deliveries don't require it: /etc/postfix/main.cf: address_verify_transport_maps = hash:/etc/postfix/verify_transport /etc/postfix/verify_transport: example.com smtp-tls-required: /etc/postfix/master.cf: smtp-tls-required unix - - - - - smtp -o smtp_tls_security_level=encrypt Then, you can invoke reject_unverified_recipient SELECTIVELY for the domains that need TLS. Wietse