Rob Maidment:
> > In master.cf:
> >
> > smtp inet . . . . . postscreen -o smtpd_service_name=blah
> > blah pass . . . . . smtpd
> >
> > See postscreen(8) and postconf(5) manpages for details.
> >
> > Wietse
>
> Thanks, I don't know how I didn't spot that.
>
> Do you think it's feasible to enhance postscreen to hand off to
> different smtpd service names (e.g. with different SMTP AUTH
> settings), based on the IP address of the connecting client? Or based
> on the client domain name obtained via PTR record (with a fallback for
> when the lookup fails)? (The domain name requirement prevents me using
> the firewall to direct incoming connections to different SMTP ports,
> hence exploring the postscreen approach.)
I don't see that happen.
I don't think that postscreen is viable if it has to wait for DNS
lookup with EVERY SMTP CONNECTION.
> I'm also interested in achieving different TLS settings for different
> clients (e.g. security level, client cert validation) so I guess
> postscreen would need to hand off to different tlsproxy service names
> too.
Another option is to use check_policy_service and look at the TLS
session properties after the handshake is completed.
But you have to be careful: if you break TLS interoperability,
clients will send plaintext, and security will be worse.
Wietse
