On 04.01.19 14:44, Stefan Bauer wrote:
we have enforced TLS to all remote sites and have appropriate tls policy
server, that checks if TLS is avail before accepting mails. That works as
expected. we also only accept users with auth.
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
smtpd_recipient_restrictions = check_policy_service unix:private/policy
policy server returns dunno or defer...
Now the problem:
for some destinations, we are aware, that TLS fails, so we skip checking
and set "may" policy for specific users/destinations. However this settings
seems to have no effect anymore, when we enable check_policy_service.
master.cf (snippet):
finance unix - - n - - smtp
smtp_tls_policy_maps=hash:/etc/postfix/tls/finance
tls/finance:
remote-site.de may
policy server responds with defer.... and custom smtp_tls_policy_maps are
ignored.
Howto work around this?
this looks to me that you search for connection between
smtpd_recipient_restrictions
and smtp_tls_policy_maps, and there is none.
the "check_policy_service private/policy" communicates via unix socket
private/policy (apparetly in postfix directory) to external program that
tells smtpd what to do.
if you want your policy server to return dunno for sending domain
"remote-site.de", your policy server must look to the /etc/postfix/tls/finance
table for the remote-site.de domain.
the policy server doesn't look to your "smtp_tls_policy_maps" settings,
usually it does not read postfix configuration at all.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
