> On Aug 22, 2017, at 12:52 PM, yodel...@yepmail.net wrote:
>
> Based on your comment I found
>
>
> http://postfix.1071664.n5.nabble.com/Server-equivilent-of-smtp-tls-policy-maps-td26112.html
>
> that provides the concrete example
>
> smtpd_client_restrictions =
> check_client_access lmdb:/etc/postfix/require_crypt
>
> # require_crypt.lmdb
> example.com reject_plaintext_session
>
> So that looks like it should work.
Yes, but what security goal does this achieve? Firstly listing the
client domain name there works unreliably, because the PTR lookup
or the forward address lookup may tempfail, and then the client
will be able to send in the clear. It is generally unwise to
use "reject_unknown_client_hostname" to insist that all clients
have working FCrDNS, so this check is fragile.
You also have no assurance that the client verified the server
certificate, so the connection might be via an MiTM attacker's
system. The only protection this gets you is from passive
attacks, when there are no DNS hiccups.
A CIDR table (policy by client IP) is more reliable, but still
leaves room for active attacks, and tracking client IPs is often
difficult.
My advice for mandatory inbound TLS on port 25 public MX hosts
is "don't bother".
--
Viktor.
