We've got a large number of domains for which we filter email. Some of them have specific destinations to which they want to enforce TLS, bouncing email destined to that domain if TLS is not available. (they need to require it - opportunistic TLS isn't enough for them for certain domains).
We can't use the standard postfix maps, because while one user might want to force TLS to, say gmail.com, another might not. So we need to basically look up the recipient domain to see if it's in a list that where the sender wants TLS to be forced and then send it to a postfix instance that enforces TLS. I'm looking for the best way to handle this, and am asking for any ideas or opinions. Obviously, we're going to do some sort of a lookup based on the sender and recipient domains to decide if an outbound message should go to a postfix instance that forces tls. I thought of doing this with a custom_hook (before_send, perhaps), that would the forward_method for a particular recipient. I also noted the forward_method_maps_by_ccat option.....perhaps we would create a new ccat that means "deliver by tls"? And then use forward_method_maps_by_ccat to map that to a different forward instance. This seems cleaner, as far as delivery goes....but is there a way to add an additional major contents_category constants in a well-supported way that doesn't involve modifying the amavisd-new source code? Or is there some great way to do this in postfix that isn't occurring to me? Thanks- Tom
