I have a possibly unusual AUTH/TLS combination requirement. As a newbie, I
could use a sanity check.
Requirements:
* All virtual mail clients will use SASL AUTH
* Virtual mail clients on specific internal networks MUST NOT be offered
TLS. This is to satisfy FCC requirements prohibiting the use of encryption
on certain radio frequencies.
* Other virtual mail clients on internal networks may choose to use TLS or
not. (Some simple network appliances don't support TLS at all, or don't
support STARTTLS)
* Virtual mail clients from external networks (outside the firewall) MUST
use TLS.
So, I'm thinking I need three submission ports:
* one for AUTH but no TLS
* one for AUTH with opportunistic TLS
* one for AUTH with enforced TLS
So, I'm thinking:
/etc/postfix/master.cf:
# Submission for internal, radio clients; access controlled by IP address
in iptables
2525 inet ...
-o smtpd_tls_security_level=none
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
# Submission for internal, non-radio clients
submission inet ...
-o smtpd_tls_security_level=may
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
# Submission for external clients
smtps inet ...
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
...
Does that make sense?
Is there a better way?
Is there anything I should keep in mind?
All comments and suggestions would be helpful.
Thanks,
Michael
