Grant Sturgis wrote:
Good day,
I am interested in the smtpd equiv of
smtp_tls_policy_maps.
What I want to do in only accept email from certain sites if it is
encrypted. Don't accept mail from these sites if it is not encrypted.
Is this possible?
Thanks in advance,
Grant
----------------
Sort of.
The simplest use is either a check_client_access or
check_sender_access table listing the {client IP or hostname,
sender's domain} with a result of 'reject_plaintext_session'.
This does nothing to verify identity, but does insure the
communication is encrypted.
You would choose check_client_access or check_sender_access
depending on which entity requires encryption:
- All mail arriving from the mail client mx.example.org must
be entrypted: use check_client_access with a key
"mx.example.org" or (better) the IP address of that client.
- All mail arriving with a envelope sender address of
[EMAIL PROTECTED] (not necessarily the From: header) must be
encrypted: use check_sender_access with a key "example.com".
Envelope sender address example:
# main.cf
smtpd_sender_restrictions =
check_sender_access hash:/etc/postfix/require_crypt
# require_crypt
example.com reject_plaintext_session
http://www.postfix.org/postconf.5.html#reject_plaintext_session
You can also use smtpd_restriction_classes to match senders
and clients.
http://www.postfix.org/RESTRICTION_CLASS_README.html
If your requirement is to verify the identity of the client,
your setup becomes more complicated and, because your postfix
will need to ask for client certificates, may experience
compatibility problems with the general internet. This type
setup is probably best used on a private connection, such as
an IP not listed as your public MX or a non-standard port.
Please see:
http://www.postfix.org/TLS_README.html#server_access
--
Noel Jones
