postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: SMTPD TLS policy by Client IP ?

Re: SMTPD TLS policy by Client IP ?

From: Victor Duchovni <Victor.Duchovni_at_nospam>
Date: Thu Oct 28 2010 - 19:57:10 GMT
To: postfix-users@postfix.org

On Thu, Oct 28, 2010 at 02:48:11PM -0500, Noel Jones wrote:

>> However for incoming mail it looks like
>> "smtpd_tls_security_level" it is all or none on enforcement of
>> encryption.
>> Does such a control exist?
>
> You can use a check_client_access maps with "reject_plaintext_session"
> action.
> http://www.postfix.org/postconf.5.html#reject_plaintext_session

Yep, put the IPs in a "cidr:" table, and off you go. This is only
a band-aid of course, TLS policy is up to the sender, a misconfigured
sender gateway can send the mail to the wrong place, with or without
encryption.

        http://www.postfix.org/TLS_README.html#client_tls_limits

Maintaining lists of peer IPs on which to enforce TLS is a pain, I
don't recommend this unless the IPs at the other end are also yours.

-- Viktor.