On Tue, Apr 03, 2012 at 09:39:22AM -0500, /dev/rob0 wrote:
> > One of these domains in particular is a remote site with their
> > own Exchange 2007 server and they have asked me to allow TLS
> > emails through, HSBC Bank is asking for this.
>
> I don't think the request is reasonable, but it is easy to do. A
> restriction class for this recipient domain, checked after
> reject_unauth_destination, which calls permit_tls_all_clientcerts.
This is definitely NOT what the client is asking for. They want
their business partners to be able to encrypt email in transit
via TLS. This just means that the OP needs to:
- Install a SSL cert on his inbound systems, issued by a
a mutually agreeable pubic CA. This is done by configuring
the cert and key and setting smtpd_tls_security_level = may.
- Enable mandatory ("encrypt") or secure-channel ("secure")
TLS encryption for scanned mail that is relayed to the
requested client. This is done via smtpd_tls_policy_maps.
Both of these are easy and are documented the TLS for SMTP servers
and TLS for SMTP clients sections of TLS_README.
If the client's business partners want secure-channel connections, not
just mandatory TLS with no authentication, they'll need to know what
CAs to expect in the server cert and which DNS names or name suffixes
will be associated with this service. They'll need to be notified in
advance of any cert updates (beyond simple renewal) that introduce
new DNS suffixes or new public CAs.
Ideally the uplink to the client is secure-channel, so that there is
no mismatch between sender expectation of security and reality.
--
Viktor.
