On Sun, Mar 21, 2021 at 10:21:54AM -0400, Wietse Venema wrote:
> > When using Postfix "smtpd_tls_security_level = encrypt" in main.cf
> > is it possible to make an exception for an incoming mail server
> > connection that does not support encryption?
>
> Use "smtpd_tls_security_level = may" and use reject_plaintext_session
> in smtpd_sender_restrictions.
>
> /etc/postfix/main.cf:
> smtpd_tls_security_level = may
> smtpd_sender_restrictions =
> check_client_access inline:{example.com=permit}
> reject_plaintext_session
>
> Some may object to name-based exceptions: they can use IP addresses
> and cidr maps instead.
>
> /etc/postfix/main.cf:
> smtpd_tls_security_level = may
> smtpd_sender_restrictions =
> check_client_access cidr:/etc/postfix/tls-exceptions
>
> /etc/postfix/tls-exceptions
> 10.0.0.1/8 permit
> 0.0.0.0/0 reject_plaintext_session
Also make sure your setting of "plaintext_reject_code = 450" has
not been changed from its default value.
--
Viktor.
P.S.
FWIW, I am one of those who usually suggests avoiding (objects) to
fragile client exceptions by FCrDNS[1] name, which can tempfail.
[1] https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS
