On Tue, Apr 03, 2012 at 02:02:37PM +0000, Mark Pote wrote: > I have a Centos, Postfix, Amavisd, Spamassassin, MySQL setup and > clean mail for quite a few domains. > > One of these domains in particular is a remote site with their > own Exchange 2007 server and they have asked me to allow TLS > emails through, HSBC Bank is asking for this.
I don't think the request is reasonable, but it is easy to do. A restriction class for this recipient domain, checked after reject_unauth_destination, which calls permit_tls_all_clientcerts. http://www.postfix.org/RESTRICTION_CLASS_README.html http://www.postfix.org/TLS_README.html#server_access http://www.postfix.org/postconf.5.html#check_recipient_access http://www.postfix.org/postconf.5.html#permit_tls_all_clientcerts > I have looked around on how this works but so far I haven't found a > clear explanation. I know that I need to setup postfix to receive > the TLS emails, which shouldn't be a problem, and we need a > verified certificate. I have also found that we then need to set up > SASL to forward the mails onto the companies own email server and > this is where I'm starting to get confused. How were you forwarding these mails before? Why are they requiring you to authenticate? Being enamoured with TLS, perhaps they would like to set up TLS certificate authentication. Anyway, either is documented: SASL: http://www.postfix.org/SASL_README.html#client_sasl TLS: http://www.postfix.org/TLS_README.html#client_tls http://www.postfix.org/TLS_README.html#client_tls_policy For the latter, you simply have to present a proper client certificate to their server, but you will also want a secure TLS connection. > Does anyone know how postfix/amavisd/spamassassin handles this and > if it is at all possible? Do TLS emails bypass the spam checking or > do I setup rules to lower the score if they are from this source? The amavisd-new configuration is a matter for their mailing list. I expect you will need a policy map to tell it to treat these mails specially. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
