On Mon, Sep 09, 2013 at 09:06:20AM +0200, Luigi Rosa wrote:
> > Yes, but you do have to configure Postfix correctly.
>
> :) I managed to solve the problem, the key was smtp_tls_policy_maps, the main
> error I made was to put the server name instead the mail domain name (the
> recipient is on a different domain from the FQDN of the server). As you
> pointed out setting loglevel to 2 helped a lot.
The lookup key for TLS policy is the nexthop domain, which is by
default the envelope recipient domain, but can be preempted via
transport(5) mappings, (including content_filter, default_transport,
relay_transport, ...).
> This leads to few more questions regarding smtp_tls_policy_maps:
>
> domain.com fingerprint
> match=...
>
> in this case domain.com is the domain name of the recipient (the text after
> '@' in the mail address) and not the FQDN of the MTA, correct?
It is the transport nexthop. If "example.com" has a transport entry:
example.com smtp:[smtp.example.net]:12345
then the lookup key is:
[smtp.example.net]:12345
> If domain.com has a backup MX without TLS how can I tell the
> smtp_tls_policy_maps not to use TLS with backup MX?
You can't. (There is a non-scalable approach with master.cf and
smtp_fallback_relay, but it is not worth the effort).
There's not much point in verified TLS security when the backup MX
is non-TLS. A man-in-the-middle attacker just drops connections to
the primary, and the traffic is in the clear.
Opportunistic TLS is sufficient when you can't secure all delivery
paths.
> > You have failed to mention any related transport(5) settings. The SMTP TLS
> > policy table lookup key is the transport nexthop.
>
> I didn't set up anything in transport file, Postfix uses the DNS to deliver
> the email. Should I put something in the transport file?
No. Rather, not explaining your configuration in detail makes it
difficult to help.
--
Viktor.
