Hi,
isn't it possible to enforce TLS outbound to an MX ?
In the example below, if mx0.example.com isn't offering TLS the email is
sent unencrypted !?
Enforcing TLS to a domain ist working as expected.
tls_policy:
[mx0.example.com] encrypt
[4.3.2.1] encrypt
postfix-3.2.0
alias_database = hash:/etc/mail/aliases
alias_maps = hash:/etc/mail/aliases
append_dot_mydomain = no
authorized_submit_users = root
canonical_classes = envelope_sender, envelope_recipient
canonical_maps = regexp:/etc/postfix-mx1/canonical
compatibility_level = 2
config_directory = /usr/local/postfix/postfix-outgoing
data_directory = /var/lib/postfix-outgoing
default_database_type = btree
default_destination_concurrency_limit = 500
default_destination_recipient_limit = 500
disable_vrfy_command = yes
fast_flush_domains =
hopcount_limit = 50
in_flow_delay = 0
inet_interfaces = 192.168.0.41
inet_protocols = ipv4
local_recipient_maps =
local_transport = error:5.1.1 Mailbox unavailable
mailq_path = /usr/local/postfix/bin/mailq
masquerade_classes = envelope_recipient, envelope_sender, header_sender,
header_recipient
masquerade_domains = xyz.com pallas.de xyz.com
master_service_disable =
maximal_queue_lifetime = 5d
message_size_limit = 50000000
multi_instance_enable = yes
multi_instance_group = mta
multi_instance_name = postfix-outgoing
mydestination =
mydomain = xyz.com
myhostname = outgoing.xyz.com
mynetworks = $config_directory/mynetworks
mynetworks_style = host
myorigin = $mydomain
newaliases_path = /usr/local/postfix/bin/newaliases
queue_directory = /var/spool/postfix-outgoing
sender_dependent_relayhost_maps =
btree:/etc/postfix-outgoing/transport_sender
sendmail_path = /usr/local/postfix/sbin/sendmail
smtp_bind_address = 192.168.0.41
smtp_dns_support_level = enabled
smtp_host_lookup = dns, native
smtp_tls_cert_file = ${smtpd_tls_cert_file}
smtp_tls_ciphers = high
smtp_tls_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH
EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
smtp_tls_key_file = ${smtpd_tls_key_file}
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_policy_maps = btree:/etc/postfix-outgoing/tls_policy
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP
smtpd_discard_ehlo_keywords = silent-discard, etrn
smtpd_error_sleep_time = 3s
smtpd_helo_required = yes
smtpd_recipient_limit = 500
smtpd_recipient_restrictions = reject_unknown_recipient_domain,
permit_mynetworks, reject
smtpd_relay_restrictions =
smtpd_tls_CAfile = /etc/postfix-outgoing/cacert.pem
smtpd_tls_cert_file = /etc/postfix-outgoing/outgoing.xyz.com.crt
smtpd_tls_ciphers = high
smtpd_tls_dh1024_param_file = /etc/postfix-outgoing/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL eNULL EXPORT DES RC4 MD5 PSK aECDH
EDH-DSS-DES-CBC3-SHA EDH-RSA-DES-CDC3-SHA KRB5-DE5 CBC3-SHA
smtpd_tls_key_file = /etc/postfix-outgoing/outgoing.xyz.com.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtputf8_enable = no
tls_preempt_cipherlist = yes
transport_maps = btree:/etc/postfix-outgoing/transport
unknown_local_recipient_reject_code = 550
192.168.0.41:25 inet n - n - - smtpd
pickup unix n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr unix n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
