> On Oct 31, 2019, at 10:58 AM, Ferdinand Goldmann <ferdinand.goldm...@jku.at>
> wrote:
>
> I need a Postfix (3.3) installation to only accept mails sent after STARTTLS,
> so I've set smtpd_tls_security_level = encrypt in main.cf. However, Postfix
> still allows sending mails withouth encryption.
That's not correct. Postfix does reject "MAIL FROM" over cleartext
when "smtpd_tls_security_level = encrypt" and STARTTLS was not used.
(More precisely, all commands other than XCLIENT, EHLO/HELO, STARTTLS,
NOOP and QUIT are rejected).
It seems your configuration was not as you intended. For help, post
the output of:
$ postconf -nf
and
$ postconf -Mf
> Do the permit_mynetworks settings in smtpd_relay_restrictions and
> smtpd_recipient_restrictions have an effect on the enforcement of TLS
> encryption?
Not generally, but "reject_plaintext_session" can be used instead
instead of "smtpd_tls_security_level", possibly selectively by
client ip, sender domain, recipient address, ...
> Are hosts in mynetworks exempt from the smtpd_tls_security_level =
> encrypt setting?
No.
--
Viktor.
