Victor Duchovni:
> On Thu, Feb 12, 2009 at 08:33:35AM -0500, Wietse Venema wrote:
>
> > > > > is there a way to enforce TLS dependent on the sender domain?
> >
> > This would have to be simulated with sender_dependent_relayhost_maps.
> > Specify a Postfix instance that encrypts all outbound mail. Postfix
> > multi-instance support will go alpha in a few days.
>
> To expand this a bit, you deploy (at least) two Postfix instances on
> your system.
>
> The input instance accepts mail from senders and normally delivers it
> directly to the nexthop gateway for the destination. You already have
> this.
>
> The (TLS) output instance has a separate config_directory, queue_directory
> and data_directory, but shares the Postfix executables and docs. In the
> output instance, TLS is enforced for certain destinations.
>
> The input instance uses sender_dependent_relayhost_maps to route some
> mail to the (TLS) output instance.
>
> This scales poorly if different customers want to enforce TLS for
> different sets of destinations at different security levels. If that
> happens, it is much better to just field a separate input MTA for
> "special-needs" customers, and have the input instances do all the work.
>
> The main difficulty with multiple input instances is that it is difficult
> to get the process limits right. If loads on all the input instances
> spike at the same time, your system may not have enough disk I/O or CPU
> to handle the load.
>
> There is no sender_dependent_tls_policy_maps, nor any lookup key syntax
> for TLS policy by sender *and* recipient domain combined.
In addition, when people say "sender" they sometimes mean the client
IP address, instead of the envelope sender domain or address.
If the poster wants encryption depending on client IP address, then
they will have to direct those clients directly to an MTA instance
that encrypts all outbound mail. That also gives more assurance that
bounces will be encrypted.
Wietse
