I need to set up a server so that any mail to/from a specific domain
(Alaska.gov - external to us) is using mandatory TLS. The server is a mail
gateway - it doesn't have any local mailboxes and acts as a virus/spam filter
relay to internal mail servers.
In main.cf,
smtpd_use_tls=yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_security_level = may
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_security_level = may
smtp_tls_loglevel = 2
smtp_tls_policy_maps = hash:/etc/postfix/cbj_tls_policy
cbj_tls_policy looks like:
alaska.gov encrypt
I'm a little confused however on the difference between the smtpd_* settings
and smtp_* settings. It seems that the smtp_* settings are for "client"
connectivity and smtpd for "server". Is client defined as any external host
contacting my server, i.e. an inbound connection? It's not clear to me whether
it refers to just MUAs or also to remote MTAs.
I presume that the smtpd settings are for messages that we originate.
Alaska.gov will set their side to only send to us using TLS. If they fail to I
want to reject it (but only them). I want to only send to them using TLS. If
my server doesn't, it's on them to reject it but it would be good to only send
if it is encrypted.
Is there anything I should add or strip out of the above?
Keys are already set up.
...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500 Registered Linux User No: 307357
