On Tue, Jan 27, 2015 at 03:42:13PM +0100, Ralf Hildebrandt wrote:
> Something along the lines of:
> smtp_tls_policy_maps = cdb:/etc/postfix/tls-policy
>
> but for smtpd (if a connection comes in from $HOST, then require
> "encrypt", reject otherwise)
main.cf:
indexed = ${default_database_type}:${config_directory}/
smtpd_helo_restrictions =
check_helo_access ${indexed}tls-by-helo
tls-by-helo:
example.com reject_plaintext_session
I would not recommed setting reject_plaintext_session to 5XX, hosts
falling back to cleartext after a transient TLS failure should not
then bounce the message when a cleartext "MAIL FROM:" is rejected.
Perhaps the documentation for this parameter should mention that
the 450 default is generally the right long-term setting, rather
than an initial safety-net.
--
Viktor.
