On Tue, Apr 03, 2012 at 09:39:22AM -0500, /dev/rob0 wrote: > > One of these domains in particular is a remote site with their > > own Exchange 2007 server and they have asked me to allow TLS > > emails through, HSBC Bank is asking for this. > > I don't think the request is reasonable, but it is easy to do. A > restriction class for this recipient domain, checked after > reject_unauth_destination, which calls permit_tls_all_clientcerts.
This is definitely NOT what the client is asking for. They want their business partners to be able to encrypt email in transit via TLS. This just means that the OP needs to: - Install a SSL cert on his inbound systems, issued by a a mutually agreeable pubic CA. This is done by configuring the cert and key and setting smtpd_tls_security_level = may. - Enable mandatory ("encrypt") or secure-channel ("secure") TLS encryption for scanned mail that is relayed to the requested client. This is done via smtpd_tls_policy_maps. Both of these are easy and are documented the TLS for SMTP servers and TLS for SMTP clients sections of TLS_README. If the client's business partners want secure-channel connections, not just mandatory TLS with no authentication, they'll need to know what CAs to expect in the server cert and which DNS names or name suffixes will be associated with this service. They'll need to be notified in advance of any cert updates (beyond simple renewal) that introduce new DNS suffixes or new public CAs. Ideally the uplink to the client is secure-channel, so that there is no mismatch between sender expectation of security and reality. -- Viktor.