I'm looking for a Postfix configuration option like smtpd_enforce_tls but one that lets me enforce TLS selectively, depending on what domain the email is coming in from. I need to allow non-TLS incoming email from all but certain selected originating domains.
Is this possible? I know that it's simple to selectively enforce TLS on email going out from Postfix, but I'm talking about email coming in.
Yes, you can - with a little engineering :)
Since you say you want to enforce TLS based on sender domain, you add a check_sender_access restriction to your smtpd_sender_restrictions, like so:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/enforced_tls
and in /etc/postfix/enforced_tls:
@example.org reject_plaintext_session
@example.net reject_plaintext_session
Don't forget to postmap the file, and reload postfix when you're done.
/etc/postfix/enforced_tls must be in this format:
example.org reject_plaintext_session
example.net reject_plaintext_session
refer to http://www.postfix.org/access.5.html
I would even suggest a more restrictive version by also requiring a valid certificate from the sending server like this:
/etc/postfix/main.cf:
... smtpd_tls_ask_ccert = yes smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/enfoced_tls ...
/etc/postfix/enforced_tls:
example.org reject_plaintext_session, permit_tls_all_clientcerts, reject example.net reject_plaintext_session, permit_tls_all_clientcerts, reject
This should also reject the session when the certificate of the connecting server cannot be validated via the CAs in smtpd_tls_CAfile, which in this case can safely contain the system default CAs. Please correct me if I'm mistaken here.
