Re: Server-to-server TLS

[Victor Duchovni]

On Tue, Mar 08, 2011 at 01:38:28PM +0100, Raven wrote:

> I would like to implement server-to-server TLS encryption between two
> postfix instances I manage. One of the servers already has
> TLS-capabilities but they are only used for SASL-AUTH clients.
> 
> Where do I start to have the entire stream between the servers to be
> encrypted?

    http://www.postfix.org/TLS_README.html#client_tls
    http://www.postfix.org/TLS_README.html#client_tls_limits
    http://www.postfix.org/TLS_README.html#client_tls_levels
    http://www.postfix.org/TLS_README.html#client_tls_encrypt
    http://www.postfix.org/TLS_README.html#client_tls_secure
    http://www.postfix.org/TLS_README.html#client_tls_policy

    main.cf:
        indexed = ${default_database_type}:${config_directory}/
        dynamic = btree:${data_directory}/
        transport_maps = ${indexed}transport
        smtp_tls_policy_maps = ${indexed}tls-policy
        # Opportunistic TLS by default
        smtp_tls_security_level = may
        smtp_tls_session_cache_database = ${dynamic}smtp_tls_scache

    transport:
        example.com     smtp:[mail.example.com]
        example.org     smtp:example.net
        example.gov     smtp:example.net

    tls-policy:
        # transport nexthop gateway for example.com mail
        [mail.example.com]      secure match=nexthop

        # transport nexthop domain for example.org and example.gov
        example.net             secure

        # Domain routed via MX hosts to servers believed to support TLS
        # with verifiable certificates
        example.edu             secure

-- 
        Viktor.