> On Oct 18, 2017, at 12:45 AM, Viktor Dukhovni <postfix-us...@dukhovni.org> > wrote: > > The documentation for the TLS policy table clearly states that the > lookup key for the TLS policy is the *verbatim* nexthop.
http://www.postfix.org/TLS_README.html#client_tls_policy The TLS policy table is indexed by the full next-hop destination, which is either the recipient domain, or the verbatim next-hop specified in the transport table, $local_transport, $virtual_transport, $relay_transport or $default_transport. This includes any enclosing square brackets and any non-default destination server port suffix. The LMTP socket type prefix (inet: or unix:) is not included in the lookup key. The above leaves out content_filter or access(5) FILTER rules, as these can also specify a non-default nexthop, but usually not one that's subject to TLS encryption. If you have a blanket encryption policy, then you might actually need to exempt any loopback SMTP nexthop used with content_filter and similar. -- Viktor.
