1

I am running postfix in Debian Wheezy as my MTA. I currently have it configured to require secure connections for SMTP.

In main.cf I have:

smtpd_tls_auth_only = yes
smtpd_tls_security_level = encrypt

And then in master.cf, I have:

smtp      inet  n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=yes

This works fine. However, I have a scenario where I need to allow a single email account access to connect without SSL/TLS due to hardware incompatibility. Is there an easy way to make this requirement selective based on the authenticated user? I haven't been able to come across any easy or elegant solutions to accomplish this.

Any thoughts/feedback welcome!

Aaron A
  • 239
  • 2
  • 14
  • Don't you have a chicken-and-egg problem? That is to say, with the config above, you can't authenticate until you've negotiated TLS, by which time it's too late to exempt the authenticated user from a TLS requirement. – MadHatter May 14 '14 at 12:07
  • 4
    Set up a different instance of postfix running on a non standard port in `master.cf`, and make it much less restrictive. – NickW May 14 '14 at 13:06
  • @NickW Is there a way to override the smtpd_tls_auth_only and smtpd_tls_security_level on a non standard port though? From what I can see, there isn't. That was my initial thought, but I couldn't figure out how to configure it correctly. – Aaron A May 15 '14 at 11:52
  • @NickW scratch that, I think I may have figured it out, not sure why my options weren't registering the other day though! – Aaron A May 15 '14 at 12:27

1 Answers1

1

I was able to accomplish this with the following option in master.cf:

925      inet  n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=no
  -o smtpd_tls_security_level=may
  -o smtpd_tls_auth_only=no

This will allow clients to connect on port 925, without requiring TLS.

Aaron A
  • 239
  • 2
  • 14
  • 1
    From the [Postfix documentation on smtpd_enforce_tls](http://www.postfix.org/postconf.5.html#smtpd_enforce_tls): *'With Postfix 2.3 and later use smtpd_tls_security_level instead.'* So I guess you can just leave it out. :-) – gertvdijk Jan 14 '15 at 21:41