On Mon, Jul 24, 2017 at 01:53:57PM -0400, Wietse Venema wrote:
> post...@xmas.de:
> > Hi,
> >
> > isn't it possible to enforce TLS outbound to an MX ?
>
> Sure there is.
>
> /etc/postfix/master.cf
> smtp-encrypt .. .. .. .. .. .. smtp -o smtp_tls_security_level=encrypt
>
> /etc/postfix/transport
> example.com smtp-encrypt
>
> /etc/postfix/main.cf
> transport_maps = hash:/etc/postfix/transport
I think the OP is asking for policy based on the MX host. I am
reluctant to (re)introduce such a mechanism, since its security
properties are rather dubious. If the remote domain has DNSSEC,
they may as well also do DANE. Absent DNSSEC, per-MX policy is
in my view illusory security.
--
Viktor.
