Can you set Postfix to enforce TLS on incoming email only from certain domains or IPs?
I'm looking for a Postfix configuration option like smtpd_enforce_tls
but one that lets me enforce TLS selectively, depending on what domain the email is coming in from. I need to allow non-TLS incoming email from all but certain selected originating domains.
Is this possible? I know that it's simple to selectively enforce TLS on email going out from Postfix, but I'm talking about email coming in.
Solution 1:
Yes, you can - with a little engineering :)
Since you say you want to enforce TLS based on sender domain, you add a check_sender_access restriction to your smtpd_sender_restrictions, like so:
smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/enforced_tls
and in /etc/postfix/enforced_tls
:
@example.org reject_plaintext_session
@example.net reject_plaintext_session
Don't forget to postmap the file, and reload postfix when you're done.
Solution 2:
/etc/postfix/enforced_tls
must be in this format:
example.org reject_plaintext_session
example.net reject_plaintext_session
refer to http://www.postfix.org/access.5.html