On Tue, 2010-08-24 at 10:29 -0500, Noel Jones wrote:
> On 8/24/2010 10:24 AM, Vernon A. Fort wrote:
> > We have a few companies that we need have ALL email traffic encrypted.
> > We can no longer 'blindly trust' the end user to not include sensitive
> > information in email. A VPN would be a easier solution but its not an
> > option at this point.
> >
> > So, the outbound appears to be simple:
> >
> > smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
> > with
> > domain.com encrypt
> > .domain.com encrypt
> >
> > basically, if the email is destine for THIS (or these) domain(s),
> > enforce encryption. If we cannot, immediately return the email.
> >
> > But how to i enforce email connections FROM specific sites (ip's) to be
> > encrypted, i.e. reject_if_NOT_tls_connection?
> >
> > Vernon
> >
>
>
> http://www.postfix.org/postconf.5.html#reject_plaintext_session
>
>
> abbreviated example of selective usage:
>
> smtpd_sender_restrictions =
> check_client_access cidr:/path/force_tls
>
>
> # force_tls
> 5.4.3.2/32 reject_plaintext_session
Thanks Noel - would this work with a domain configuration, like
smtpd_sender_restrictions =
check_client_access hash:/etc/postfix/force_tls
# force_tls
domain.com reject_plaintext_session
Meaning I do NOT accept email from domain.com thats not encrypted. The
cidr approach may be the best solution - just exploring my options.
Again, just seeing if there is a way to ENSURE/VALIDATE the other side
is doing what they said they would do.
Vernon
