I have a rather unique situation where I'm looking to introduce a Postfix server as an outbound mail server to enforce and be able to report on encrypted messaging leaving the organization. Postfix version I'm using currently is 2.11, but happy to upgrade if that helps.
What I'd like to have happen is this: 1. Message is received from an internal user by the Postfix server 2. The server attempts to deliver directly to the host specified by the MX record, and does so if encryption can be negotiated to match the specified policy 3. If encryption to the remote server cannot be negotiated directly, forward the message to another relay for delivery (in reality, this is a secure mail portal that requires the user to come and authenticate to get the message). I know using TLS_Policy and Transport maps I can force encryption all the way to a destination server. I also know I can specify either "may" encrypt for TLS or "require," but the semantics here don't seem to allow the specification of "require" that first attempts to direct deliver over TLS and falls back to a smart/relay host (which does allow TLS connections) if the direct delivery isn't possible. Am I missing something here in terms of how to configure this in a way that will work as I'm hoping, or is that something that doesn't exist today? Thanks, Jacob
