Prev: local delivery fails ((unknown mail transport error) when combined with mailbox_transport_maps
Next: different IP for outbound mail
From: "Jan C." on 15 Jun 2010 04:00 Hello, I have Postfix with TLS policy maps set up to send traffic via TLS to remote MTAs. I'm writing an application which should be able to determine if an email to given domain will be sent through an TLS connection or not, just by reading the Postfix configuration. I thought that having a look in the smtp_tls_policy_maps will be enough e.g. "gmail.com encrypt" This works for domains which are looked up via DNS MX. Now, since the gmail MTAs do not support TLS, I add the following transport mapping in transport_maps "gmail.com smtp.gmail.com:587" Now the previous entry in smtp_tls_policy_maps does not work anymore and I have to add a new one: "smtp.gmail.com:587 encrypt" So If I want to determine if an email to gmail.com is supposed to be sent via TLS, the pseudo algorithm would be something like IF "gmail.com" is *not* present in $transport_maps file THEN look for "gmail.com" in smtp_tls_policy_maps ELSE find the corresponding mapping for "gmail.com" in (in my example smtp.gmail.com:587) and look for the mapping in smtp_tls_policy_maps Then simply look at the TLS policy mapping to see which level of TLS is used. is that correct ? Thanks for your help, Jan
From: Victor Duchovni on 15 Jun 2010 09:26 On Tue, Jun 15, 2010 at 10:00:51AM +0200, Jan C. wrote: > This works for domains which are looked up via DNS MX. Now, since the > gmail MTAs do not support TLS, I add the following transport mapping > in transport_maps > "gmail.com smtp.gmail.com:587" Don't. This is a submission service. Not an MX service. MX hosts are on port 25. -- Viktor.
From: "Jan C." on 15 Jun 2010 11:03 Hi Victor, I know this is a submission service and this was only for illustration/testing purpose. I just want to be sure how I can find a domain's TLS mapping from the smtp_tls_policy_maps when transport mappings are involved. Thanks, Jan
From: Victor Duchovni on 15 Jun 2010 11:10 On Tue, Jun 15, 2010 at 05:03:08PM +0200, Jan C. wrote: > Hi Victor, > I know this is a submission service and this was only for > illustration/testing purpose. > > I just want to be sure how I can find a domain's TLS mapping from the > smtp_tls_policy_maps when transport mappings are involved. TLS policy is based on the nexthop domain. If the transport table overrides the nexthop, then TLS policy will use that nexthop as documented. -- Viktor.
From: "Jan C." on 17 Jun 2010 09:25
ok thanks. Jan |