Hi I've got a client who wants to do mandatory TLS for e-amils to as well as from several parties, identified by their domains. Outbound mandatory TLS is easy enough using smtp_tls_policy_maps. We have also enabled opportunistic TLS on the smtpd and have explained to our client that he'd be in conflict with RFC 3207 if he were to demand that we set smtpd_tls_securitylevel=encrypt. Now they're asking whether it would be possible to leave smtpd_tls_securitylevel=may and still enforce STARTTLS use for e-mails coming from certain domains.
Since smtpd can't decide what the MAIL FROM is going to be when a client connects, and since we don't know which SMTP clients we're supposed to expect e-mail from the domains in questions from, it obviously has to allow the client to proceed until it has received the MAIL FROM command. Then it might be possible to use smtpd_sender_restrictions to reject an attempt to send mail without TLS. However, I have not yet found a way to do so. Is there any parameter signalling the TLS state that I can use in smtpd_sender_restrictions (or later)? Regards, Tobias
