Understood. Thank you. Am Fr., 4. Jan. 2019 um 15:11 Uhr schrieb Matus UHLAR - fantomas < uh...@fantomas.sk>:
> On 04.01.19 14:44, Stefan Bauer wrote: > >we have enforced TLS to all remote sites and have appropriate tls policy > >server, that checks if TLS is avail before accepting mails. That works as > >expected. we also only accept users with auth. > > > >smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated > >reject_unauth_destination > > > >smtpd_recipient_restrictions = check_policy_service unix:private/policy > > > >policy server returns dunno or defer... > > > >Now the problem: > > > >for some destinations, we are aware, that TLS fails, so we skip checking > >and set "may" policy for specific users/destinations. However this > settings > >seems to have no effect anymore, when we enable check_policy_service. > > > >master.cf (snippet): > >finance unix - - n - - smtp > >smtp_tls_policy_maps=hash:/etc/postfix/tls/finance > > > >tls/finance: > >remote-site.de may > > > >policy server responds with defer.... and custom smtp_tls_policy_maps are > >ignored. > > > >Howto work around this? > > this looks to me that you search for connection between > smtpd_recipient_restrictions > and smtp_tls_policy_maps, and there is none. > > the "check_policy_service private/policy" communicates via unix socket > private/policy (apparetly in postfix directory) to external program that > tells smtpd what to do. > > if you want your policy server to return dunno for sending domain > "remote-site.de", your policy server must look to the > /etc/postfix/tls/finance > table for the remote-site.de domain. > > the policy server doesn't look to your "smtp_tls_policy_maps" settings, > usually it does not read postfix configuration at all. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Nothing is fool-proof to a talented fool. >