 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Jun-2007 | Next-Thread | Next-Msg |
| Subject: | Re: Postfix not doing TLS like I need |
| Group: | Postfix-users |
| From: | Victor Duchovni |
| Date: | 13 Jun 2007 |
> All I care about is what our Business Partner/Funder cares about. All
> out bound mail from us to them must be via TLS or bounced. In bound
> mail from them may or may not be TLS on our side. They are forcing the
> outbound TLS to us on their side.
Good, it is *their* responsibility to enforce TLS when sending *to
you*. It is *your* responsibility to enforce TLS when sending *to them*.
Since they are already doing their part, you don't need any TLS enforcement
in your SMTP *server* (smtpd). All you need is
main.cf:
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
tls_policy:
example.com encrypt|verify|secure [attr=val ...]
If mail to them is routed via a transport table entry:
transport:
example.com smtp:[tls.example.com]
then the policy table lookup key must be the transport table nexthop:
tls_policy:
[tls.example.com] encrypt|verify|secure [attr=val ...]
> See, http://www.postfix.org/TLS_README.html#client_tls_limits
>
> This explains why TLS policy enforcement is up to the sending client,
> with the server passively enabling the client to do the right thing.
>
> It is not really possible to do useful selective TLS enforcement on
> the server.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
| Prev-Msg | Prev-Thread | Postfix-users | Jun-2007 | Next-Thread | Next-Msg |