> On Sep 19, 2016, at 11:35 AM, Tom Johnson <t...@terramar.net> wrote:
> At first I was thinking "Great, this could help us allow users to have 
> enforced TLS for certain senders/recipients", but then I realized that this 
> policy is probably be happening after the STARTTLS command, right?

No postscreen(8) is not smtpd(8), and is not involved in message transmission,
its job is to screen connections from "new" clients, that are not listed in
its cache.


> We have some users who are fine with opportunistic TLS for some of their 
> correspondents,
> but want to enforce TLS when communicating with a particular business 
> partner.  And we'd
> need to be able to set this on a per-domain, or even per-user basis.  (One 
> domain might
> want enforced TLS with example.com, and another might not).  Would this be 
> possible with
> this sort of postscreen policy daemon?

No.  Postscreen is not involved in outbound mail, which is where TLS policy is 
See http://www.postfix.org/TLS_README.html#client_tls_limits

Outbound TLS policy by destination is supported:


Outbound TLS policy by sender is not directly supported, but
if you're willing to configure separate transports for sufficiently
large groups of users that desire the same outbound TLS policy, you
can employ:


to route their outbound email via an appropriate transport.  That
transport would be configured with a matching TLS policy via
master.cf(5) overrides of either or both of:



Reply via email to