On 24 June 2016 at 14:59, Wietse Venema <wie...@porcupine.org> wrote: >> I need to ensure TLS is used (and client certificates are verified) >> for some clients but not offered to others. What happens if I use >> smtpd_discard_ehlo_keyword_address_maps to strip the STARTTLS keyword >> but smtpd_tls_security_level is set to encrypt? Is the TLS >> enforcement code aware that TLS was not offered? > > The SMTP session is in plaintext, and email delivery will fail.
I was afraid of that - so close and yet so far! I could set smtpd_tls_security_level to "may" instead and then verify that TLS has been used where it is required (e.g. using a policy service), however that means Postfix will not validate the client certificate right? (because the smtpd_tls_req_ccert option is ignored when the security level is "may") > If you need a system that distributes clients over different SMTP > service instances, then that can be done with a new daemon that > receives connections from postscreen, and that sends them to the > appropriate smtpd services. That's an interesting idea, I think that may be my best bet. Thanks for all your help. Rob
