Re: Enforce TLS to MX

2017-07-26 Thread postfix
Hi Viktor, thank you for your detailed explanations. Greetings, Frank

Re: Enforce TLS to MX

2017-07-25 Thread Viktor Dukhovni
> On Jul 25, 2017, at 3:59 AM, post...@xmas.de wrote: > > We have partners who have numerous domains and don't wan't to tell me > the whole list of domains. Postfix TLS security is by destination domain. Basing TLS security policy on the insecurely obtained MX host is futile. If there's no man

Re: Enforce TLS to MX

2017-07-25 Thread Bastian Blank
On Tue, Jul 25, 2017 at 09:59:43AM +0200, post...@xmas.de wrote: > I only have the MX and have to ensure that the transport is encrypted. Well. If the remote system announces STARTTLS, it will be used. So you ensured to use encryption if the remote system tells you it works. > I understand that

Re: Enforce TLS to MX

2017-07-25 Thread postfix
Zitat von Viktor Dukhovni : On Mon, Jul 24, 2017 at 01:53:57PM -0400, Wietse Venema wrote: post...@xmas.de: > Hi, > > isn't it possible to enforce TLS outbound to an MX ? Sure there is. /etc/postfix/master.cf smtp-encrypt .. .. .. .. .. .. smtp -o smtp_tls_security_level=encrypt /etc/po

Re: Enforce TLS to MX

2017-07-24 Thread Viktor Dukhovni
On Mon, Jul 24, 2017 at 01:53:57PM -0400, Wietse Venema wrote: > post...@xmas.de: > > Hi, > > > > isn't it possible to enforce TLS outbound to an MX ? > > Sure there is. > > /etc/postfix/master.cf > smtp-encrypt .. .. .. .. .. .. smtp -o smtp_tls_security_level=encrypt > > /etc/postfix/tran

Re: Enforce TLS to MX

2017-07-24 Thread Wietse Venema
post...@xmas.de: > Hi, > > isn't it possible to enforce TLS outbound to an MX ? Sure there is. /etc/postfix/master.cf smtp-encrypt .. .. .. .. .. .. smtp -o smtp_tls_security_level=encrypt /etc/postfix/transport example.com smtp-encrypt /etc/postfix/main.cf transport_maps = hash:/e

Re: Enforce TLS to MX

2017-07-24 Thread Viktor Dukhovni
On Mon, Jul 24, 2017 at 02:33:01PM +0200, post...@xmas.de wrote: > isn't it possible to enforce TLS outbound to an MX ? No, Postfix TLS policy is based on the locally (securely) determined nexthop domain, not the remotely (insecurely in most cases, given still sparse DNSSEC deployment) determmine

Re: Enforce TLS to MX

2017-07-24 Thread Noel Jones
On 7/24/2017 7:33 AM, post...@xmas.de wrote: > Hi, > > isn't it possible to enforce TLS outbound to an MX ? > In the example below, if mx0.example.com isn't offering TLS the > email is sent unencrypted !? > Enforcing TLS to a domain ist working as expected. > > tls_policy: > [mx0.example.com]

Re: Enforce TLS to MX

2017-07-24 Thread Paul Menzel
Dear anonymous, On 07/24/17 14:33, post...@xmas.de wrote: isn't it possible to enforce TLS outbound to an MX ? In the example below, if mx0.example.com isn't offering TLS the email is sent unencrypted !? Enforcing TLS to a domain ist working as expected. > tls_policy: [mx0.example.com]

Enforce TLS to MX

2017-07-24 Thread post...@xmas.de
Hi, isn't it possible to enforce TLS outbound to an MX ? In the example below, if mx0.example.com isn't offering TLS the email is sent unencrypted !? Enforcing TLS to a domain ist working as expected. tls_policy: [mx0.example.com] encrypt [4.3.2.1]encrypt postfix-3.2.0