On Tue, 2010-08-24 at 11:43 -0500, Vernon A. Fort wrote: > On Tue, 2010-08-24 at 10:29 -0500, Noel Jones wrote: > > On 8/24/2010 10:24 AM, Vernon A. Fort wrote: > > > We have a few companies that we need have ALL email traffic encrypted. > > > We can no longer 'blindly trust' the end user to not include sensitive > > > information in email. A VPN would be a easier solution but its not an > > > option at this point. > > > > > > So, the outbound appears to be simple: > > > > > > smtp_tls_policy_maps = hash:/etc/postfix/tls_policy > > > with > > > domain.com encrypt > > > .domain.com encrypt > > > > > > basically, if the email is destine for THIS (or these) domain(s), > > > enforce encryption. If we cannot, immediately return the email. > > > > > > But how to i enforce email connections FROM specific sites (ip's) to be > > > encrypted, i.e. reject_if_NOT_tls_connection? > > > > > > Vernon > > > > > > > > > http://www.postfix.org/postconf.5.html#reject_plaintext_session > > > > > > abbreviated example of selective usage: > > > > smtpd_sender_restrictions = > > check_client_access cidr:/path/force_tls > > > > > > # force_tls > > 5.4.3.2/32 reject_plaintext_session > > Thanks Noel - would this work with a domain configuration, like > smtpd_sender_restrictions = > check_client_access hash:/etc/postfix/force_tls > > # force_tls > domain.com reject_plaintext_session > > Meaning I do NOT accept email from domain.com thats not encrypted. The > cidr approach may be the best solution - just exploring my options. > Again, just seeing if there is a way to ENSURE/VALIDATE the other side > is doing what they said they would do.
Concerning outbound email to a specific domain that i need encrypted, i use smtp_tls_policy_maps. I would like some level of verification that the remote server IS the server I think it is. I see the smtp_tls_security_level as encrypt, fingerprint, verify or secure. What would be the best overall solution. If I do the fingerprint, do i MD5sum their public or private key? Vernon
