On Tue, 2011-03-08 at 08:30 -0500, Victor Duchovni wrote: > On Tue, Mar 08, 2011 at 01:38:28PM +0100, Raven wrote: > > > I would like to implement server-to-server TLS encryption between two > > postfix instances I manage. One of the servers already has > > TLS-capabilities but they are only used for SASL-AUTH clients. > > > > Where do I start to have the entire stream between the servers to be > > encrypted? > > http://www.postfix.org/TLS_README.html#client_tls > http://www.postfix.org/TLS_README.html#client_tls_limits > http://www.postfix.org/TLS_README.html#client_tls_levels > http://www.postfix.org/TLS_README.html#client_tls_encrypt > http://www.postfix.org/TLS_README.html#client_tls_secure > http://www.postfix.org/TLS_README.html#client_tls_policy > > main.cf: > indexed = ${default_database_type}:${config_directory}/ > dynamic = btree:${data_directory}/ > transport_maps = ${indexed}transport > smtp_tls_policy_maps = ${indexed}tls-policy > # Opportunistic TLS by default > smtp_tls_security_level = may > smtp_tls_session_cache_database = ${dynamic}smtp_tls_scache > > transport: > example.com smtp:[mail.example.com] > example.org smtp:example.net > example.gov smtp:example.net > > tls-policy: > # transport nexthop gateway for example.com mail > [mail.example.com] secure match=nexthop > > # transport nexthop domain for example.org and example.gov > example.net secure > > # Domain routed via MX hosts to servers believed to support TLS > # with verifiable certificates > example.edu secure >
Thanks. How can I apply this to $relayhost without having to list all local domains in the transport map (as they are already listed in $virtual_mailbox_domains)? -RV
