Harakiri:
> > 1) Configure the Postfix SMTP client to REQUIRE TLS.
> >
> > ? ? smtp_tls_security_level=encrypt
>
> no - as i said, my filer has own rules and can be based on recipient, sender,
> or a combination of both - postfix cant do this, or at least not without
> different policy servers
>
> >
> > 2) Configure the Postfix SMTP server to reject mail that
> > ???cannot be delivered via SMTP-over-TLS.
> >
> > ? ? smtpd_recipient_restrictions =
> > ??? reject_unverified_recipient
> > ??? permit_mynetworks
> > ??? reject_unauth_destination
>
> again, doesnt work - as i said i want this policy based in an existing filter
> - therefor i asked for a CMD app to check the existing of TLS myself
Given this:
> I know about all the difficulties with MX lookup etc, the original
> goal would be - that i have a policy for external domains - and
> that for certain domains a message should only be sent if TLS is
> available - if a message to a certain domain is sent which does
> not support TLS - it should be blocked -
You can configure reject_unverified_recipient to use a message
delivery transport that requires TLS, even when normal mail deliveries
don't require it:
/etc/postfix/main.cf:
address_verify_transport_maps = hash:/etc/postfix/verify_transport
/etc/postfix/verify_transport:
example.com smtp-tls-required:
/etc/postfix/master.cf:
smtp-tls-required unix - - - - - smtp
-o smtp_tls_security_level=encrypt
Then, you can invoke reject_unverified_recipient SELECTIVELY
for the domains that need TLS.
Wietse
