On Thu, Jul 31, 2014 at 10:49:14AM -0500, Noel Jones wrote: > You can do that much already. > > # somewhere in main.cf > check_sender_access hash:/path/to/tls_required > > # tls_required > example.com reject_plaintext_session
This is unwise, because it breaks forwarding. If someone from example.com sends mail to user@alumni.example that happens to forward to user@acme.example (the receiving system), the mail will be rejected. SMTP is hop-by-hop, but envelope sender addresses are (mostly) end-to-end. The impedance mismatch makes it unwise to apply hop-by-hop policy to end-to-end properties. > The real problem is this doesn't/can't enforce the From: header, > which is the only thing the end-user will eventually see. Verifying > the client can't fix that. Is Patrick in fact talking about message authentication ala DKIM? Or is he thinking more along the lines of SASL where some sending systems "authenticate" to some receiving systems and as a result are able to reach restricted mailing lists, relay mail outbound, ... In the latter scenario, using ccert fingerprints is not always convenient, and we had DANE client TLSA RRs, one could use the client domain (HELO name) in ACLs instead of volatile ccert digests. -- Viktor.