> On Jul 13, 2016, at 2:27 AM, Michael Fox <n...@mefox.org> wrote: > > So, I'm thinking I need three submission ports: > * one for AUTH but no TLS > * one for AUTH with opportunistic TLS > * one for AUTH with enforced TLS
You can combine these into just one service by using: main.cf: mua_discard_ehlo_keyword_address_maps = cidr:${config_directory}/ehlo.cidr master.cf: submission inet ... smtpd -o smtpd_discard_ehlo_keyword_address_maps=$mua_discard_ehlo_keyword_address_maps ehlo.cidr: 192.0.2.1/32 starttls,silent-discard to suppress TLS for some clients, and: main.cf: mua_sender_restrictions = check_client_access cidr:${config_directory}/tlsclient.cidr master.cf: submission inet ... smtpd -o smtpd_sender_restrictions=$mua_sender_restrictions tlsclient.cidr: 192.0.2.0/24 DUNNO 0.0.0.0 reject_plaintext_session -- Viktor.