Re: auth/tls combinations sanity check

Viktor Dukhovni Wed, 13 Jul 2016 07:34:47 -0700

        
> On Jul 13, 2016, at 2:27 AM, Michael Fox <n...@mefox.org> wrote:
> 
> So, I'm thinking I need three submission ports:
> * one for AUTH but no TLS
> * one for AUTH with opportunistic TLS
> * one for AUTH with enforced TLS


You can combine these into just one service by using:

    main.cf:
        mua_discard_ehlo_keyword_address_maps = 
cidr:${config_directory}/ehlo.cidr

    master.cf:
        submission inet ... smtpd
          -o 
smtpd_discard_ehlo_keyword_address_maps=$mua_discard_ehlo_keyword_address_maps

    ehlo.cidr:
        192.0.2.1/32 starttls,silent-discard

to suppress TLS for some clients, and:

    main.cf:
       mua_sender_restrictions =
          check_client_access cidr:${config_directory}/tlsclient.cidr

    master.cf:
       submission inet ... smtpd
          -o smtpd_sender_restrictions=$mua_sender_restrictions

    tlsclient.cidr:
        192.0.2.0/24 DUNNO
        0.0.0.0   reject_plaintext_session

-- 
        Viktor.

Re: auth/tls combinations sanity check

Reply via email to