Zitat von Viktor Dukhovni <postfix-us...@dukhovni.org>:
On Mon, Jul 24, 2017 at 01:53:57PM -0400, Wietse Venema wrote:
post...@xmas.de:
> Hi,
>
> isn't it possible to enforce TLS outbound to an MX ?
Sure there is.
/etc/postfix/master.cf
smtp-encrypt .. .. .. .. .. .. smtp -o smtp_tls_security_level=encrypt
/etc/postfix/transport
example.com smtp-encrypt
/etc/postfix/main.cf
transport_maps = hash:/etc/postfix/transport
I think the OP is asking for policy based on the MX host. I am
reluctant to (re)introduce such a mechanism, since its security
properties are rather dubious. If the remote domain has DNSSEC,
they may as well also do DANE. Absent DNSSEC, per-MX policy is
in my view illusory security.
--
Viktor.
Hi Wietse and Viktor,
sorry, my name is Frank.
Yes, Viktor you're right.
We have Partners who have numerous domains and don't wan't to tell me
the whole list of domains.
I only have the MX and have to ensure that the transport is encrypted.
I understand that DNSSEC/DANE is the best way to do it.
But unfortunately, DNSSEC is still not common.
I think it would be worth to encrypt despite DNS is spoofable.
Maybe there is a workaround through transport and tcp-table ?
Thanks for all answers.
Frank
