> On Sep 19, 2016, at 11:35 AM, Tom Johnson <t...@terramar.net> wrote: > > > At first I was thinking "Great, this could help us allow users to have > enforced TLS for certain senders/recipients", but then I realized that this > policy is probably be happening after the STARTTLS command, right?
No postscreen(8) is not smtpd(8), and is not involved in message transmission, its job is to screen connections from "new" clients, that are not listed in its cache. http://www.postfix.org/POSTSCREEN_README.html > We have some users who are fine with opportunistic TLS for some of their > correspondents, > but want to enforce TLS when communicating with a particular business > partner. And we'd > need to be able to set this on a per-domain, or even per-user basis. (One > domain might > want enforced TLS with example.com, and another might not). Would this be > possible with > this sort of postscreen policy daemon? No. Postscreen is not involved in outbound mail, which is where TLS policy is implemented. See http://www.postfix.org/TLS_README.html#client_tls_limits Outbound TLS policy by destination is supported: http://www.postfix.org/TLS_README.html#client_tls_policy http://www.postfix.org/TLS_README.html#client_tls_levels Outbound TLS policy by sender is not directly supported, but if you're willing to configure separate transports for sufficiently large groups of users that desire the same outbound TLS policy, you can employ: http://www.postfix.org/postconf.5.html#sender_dependent_default_transport_maps to route their outbound email via an appropriate transport. That transport would be configured with a matching TLS policy via master.cf(5) overrides of either or both of: http://www.postfix.org/postconf.5.html#smtp_tls_security_level http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps -- Viktor.
