On Tue, 2010-08-24 at 11:42 -0400, Victor Duchovni wrote: > On Tue, Aug 24, 2010 at 10:29:43AM -0500, Noel Jones wrote: > > > On 8/24/2010 10:24 AM, Vernon A. Fort wrote: > >> We have a few companies that we need have ALL email traffic encrypted. > >> We can no longer 'blindly trust' the end user to not include sensitive > >> information in email. A VPN would be a easier solution but its not an > >> option at this point. > >> > >> So, the outbound appears to be simple: > >> > >> smtp_tls_policy_maps = hash:/etc/postfix/tls_policy > >> with > >> domain.com encrypt > >> .domain.com encrypt > >> > >> basically, if the email is destine for THIS (or these) domain(s), > >> enforce encryption. If we cannot, immediately return the email. > >> > >> But how to i enforce email connections FROM specific sites (ip's) to be > >> encrypted, i.e. reject_if_NOT_tls_connection? > >> > >> Vernon > > > > http://www.postfix.org/postconf.5.html#reject_plaintext_session > > > > abbreviated example of selective usage: > > > > smtpd_sender_restrictions = > > check_client_access cidr:/path/force_tls > > > > # force_tls > > 5.4.3.2/32 reject_plaintext_session > > See however, > > http://www.postfix.org/TLS_README.html#client_tls_limits > > the responsibility to encrypt falls largely on the sender. I would > encourage you to work with the peer organization to have them encrypt > traffic to your domains. Tracking their sending IPs scales poorly. >
i agree Victor but I'm approaching this from what I know and don't know perspective. I am evaluation IF postfix is the right solution so i haven't (at this point) setup the configuration(s). These emails are in the medical/hippa regulations area so a simple check_box (so to speak) may not suffice for an auditor. I'm working with the other side to get this email encryption setup but before we commit to a specific solution, I want some type of verification that they ARE connecting with TLS. A keeping honest people honest kind of thing. The reject_plaintext_session is what i was looking for but your right, it may not scale very well. Especially if the sending domain has their email hosted and connection are from 20 different smtp hosts that keep changing. Vernon
