force smtp tls from certain senders
in [Postfix]
|
From: m listus on 2 Jun 2010 10:15 Hi again, I need to tell postfix to force smtp only for certain senders. I read http://www.postfix.org/TLS_README.html which helps me get tls running w/ postfix, plus "Client TLS limitations". I'm thinking of using smtpd with smtpd_tls_wrappermode=yes on a different port. But my main problem is stopping those senders from using the regular smtp. Any ideas on how to best achieve this. Regards, mlistus
From: Wietse Venema on 2 Jun 2010 10:24 m listus: > Hi again, > > I need to tell postfix to force smtp only for certain senders. IP addresses? Domain names? Envelope addresses? Different requirements allow for different solutions. For example, a packet filter "redirect" allows you to invisibly switch to a different SMTP server configuration, but it cannot trigger on email addresses. > I read http://www.postfix.org/TLS_README.html which helps me get tls running w/ postfix, plus "Client TLS limitations". > > I'm thinking of using smtpd with smtpd_tls_wrappermode=yes on a different port. But my main problem is stopping those senders from using the regular smtp. One option: reject_plaintext_session Reject the request when the connection is not encrypted. This restriction should not be used before the client has had a chance to negotiate encryption with the AUTH or STARTTLS com- mands. The plaintext_reject_code parameter specifies the response code for rejected requests (default: 450). This feature is avail- able in Postfix 2.3 and later. This can prevent disclosure of the message content, but it canot prevent disclosure of email addresses etc. in SMTP commands Wietse
From: Victor Duchovni on 2 Jun 2010 13:06 On Wed, Jun 02, 2010 at 07:15:15AM -0700, m listus wrote: > I need to tell postfix to force smtp only for certain senders. This is up to the senders. If they want to disclose the data, they'll post it on slashdot, without talking to your SMTP server... There is not much point in MX hosts, enforcing TLS inbound based on envelope sender address, this breaks legitimate forwarding scenarios, ... What can work, is enforcement from a particular set of SMTP client IPs, but this is a pain to maintain... If you want MITM protection, you can't force the remote client to check your certificates correctly! > I read http://www.postfix.org/TLS_README.html which helps me get tls > running w/ postfix, plus "Client TLS limitations". Perhaps you did not fully appreciate the point: TLS security is up to the sender! > I'm thinking of using smtpd with smtpd_tls_wrappermode=yes on a different port. But my main problem is stopping those senders from using the regular smtp. > > Any ideas on how to best achieve this. Let the sender secure the data transmission to you. If they don't take the appropriate steps, you can't unilaterally make the channel secure. -- Viktor.
|
Pages: 1 Prev: Sender address rejected: Domain not found Next: closing connection issue? |