Can you set Postfix to enforce TLS on incoming email only from certain domains or IPs?

I'm looking for a Postfix configuration option like smtpd_enforce_tls but one that lets me enforce TLS selectively, depending on what domain the email is coming in from. I need to allow non-TLS incoming email from all but certain selected originating domains.

Is this possible? I know that it's simple to selectively enforce TLS on email going out from Postfix, but I'm talking about email coming in.


Solution 1:

Yes, you can - with a little engineering :)

Since you say you want to enforce TLS based on sender domain, you add a check_sender_access restriction to your smtpd_sender_restrictions, like so:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/enforced_tls

and in /etc/postfix/enforced_tls:

@example.org   reject_plaintext_session
@example.net   reject_plaintext_session

Don't forget to postmap the file, and reload postfix when you're done.

Solution 2:

/etc/postfix/enforced_tls must be in this format:

example.org   reject_plaintext_session
example.net   reject_plaintext_session

refer to http://www.postfix.org/access.5.html