> On May 31, 2016, at 10:01 AM, Rob Maidment <rmaidm...@gmail.com> wrote:
>
> I have clients where I'd like to replace Sendmail with Postfix however
> they have incoming mail requirements that prevent this, as far as I
> can tell. These are not so much to do with certificate validation but
> more fundamentally whether to enable TLS for a connecting host.
main.cf:
cidr = cidr:${config_directory}/
smtpd_discard_ehlo_keyword_address_maps = ${cidr}ehlo-addrs.cidr
ehlo-addrs.cidr:
192.0.2.0/24 starttls,silent-discard
> For
> example they insist that mail arriving from certain IP addresses must
> use TLS whereas mail from other hosts must not.
main.cf:
smtpd_client_restrictions =
cidr = cidr:${config_directory}/
check_client_access ${cidr}clnt-access
clnt-access:
192.0.2.0/24 reject_plaintext_session
> They require the
> server to offer the STARTTLS option for some connecting hosts and not
> for others.
See above.
> As I understand it, if I set the smtpd_tls_security_level
> option (to may or encrypt) the option will be offered to all clients.
> Or have I missed something?
See above, note that if you suppress "STARTTLS" to some clients, then
the security level needs to be "may" not "encrypt" and you can then
enforce it with "reject_plaintext_session" as necessary.
--
Viktor.
