On 11/19/2010 3:03 PM, Jeroen Geilman wrote:
On 11/19/2010 09:59 PM, Jerry wrote:
If I were to place this in my main.cf file:
smtpd_client_restrictions =
...
reject_plaintext_session
Wouldn't that effectively enforce TLS or am I failing to
understand the
directive?
Yes.
Yes, non-encrypted sessions are rejected.
To enforce TLS, use
smtpd_tls_security_options = encrypt
Yes, that's the recommended method to enforce TLS. The
reject_plaintext_session feature is more useful as an access
table result rather than directly within smtpd_*_restrictions.
If you were to add reject_plaintext_session to your *client*
restrictions, any attempt at STARTTLS would fail, and you
would never receive mail.
True only with the non-default and not particularly
recommended "smtpd_delay_reject = no", but still not a good
idea to use reject_plaintext_session in smtpd_*_restrictions.
-- Noel Jones
