On Thu, Oct 28, 2010 at 02:48:11PM -0500, Noel Jones wrote:
>> However for incoming mail it looks like
>> "smtpd_tls_security_level" it is all or none on enforcement of
>> encryption.
>> Does such a control exist?
>
> You can use a check_client_access maps with "reject_plaintext_session"
> action.
> http://www.postfix.org/postconf.5.html#reject_plaintext_session
Yep, put the IPs in a "cidr:" table, and off you go. This is only
a band-aid of course, TLS policy is up to the sender, a misconfigured
sender gateway can send the mail to the wrong place, with or without
encryption.
http://www.postfix.org/TLS_README.html#client_tls_limits
Maintaining lists of peer IPs on which to enforce TLS is a pain, I
don't recommend this unless the IPs at the other end are also yours.
--
Viktor.
