Enforce TLS on outbound traffic only?

Discussion in 'Server Operation' started by vmos, Jan 26, 2011.

  1. vmos

    vmos Member

    SOLVED /// I think

    Good afternoon,
    I've setup a postifx server according to these instructions

    http://www.howtoforge.com/virtual-users-domains-postfix-courier-mysql-squirrelmail-ubuntu-10.04

    it's working well, I've also enabled opportunistic TLS but I'm trying to figure out if I can enforce TLS on outbound mail and leave inbound mail with opportunistic TLS

    Can anyone point me in the right direction?

    /edit it's only certain domains I need to enforce for, this command seems to be what I'm after

    smtp_tls_policy_maps = hash:/etc/postfix/tls_policy

    but I'm buggered if I can find the right syntax for the tls_policy file, everything I try stops postfix delivering altogether

    /edit edit edit think I've got it.

    This parameter in postfix/main.cf does the trick

    smtp_tls_security_level = encrypt

    This means that the server will accept any mail inbound but will only send mail to TLS enabled servers. Not suitable for everyone but as this server was only ever intended to relay mail to certain domains that we know are TLS enabled, it works for us.

    Also, I used this on a test server first and discovered that the server tries to deliver the mail to amavis but amavis doesn't do tls so the mail bounced. was fine once I disabled amavis. It's also fine delivering to servers that have amavis on them just don't have this rule on the same server as amavis
     
    Last edited: Jan 27, 2011
: postfix, tls, ubuntu

Share This Page