On Mon, Jul 24, 2017 at 02:33:01PM +0200, post...@xmas.de wrote:
> isn't it possible to enforce TLS outbound to an MX ?
No, Postfix TLS policy is based on the locally (securely) determined
nexthop domain, not the remotely (insecurely in most cases, given
still sparse DNSSEC deployment) determmined MX host.
> In the example below, if mx0.example.com isn't offering TLS the email is
> sent unencrypted !?
> Enforcing TLS to a domain ist working as expected.
>
> tls_policy:
> [mx0.example.com] encrypt
> [4.3.2.1] encrypt
The lookup keys below are only supported when they are the nexthop
domain from the transport table. There is no documented lookup
by MX host in the SMTP policy table.
--
Viktor.
