> > So, I'm thinking I need three submission ports: > > * one for AUTH but no TLS > > * one for AUTH with opportunistic TLS > > * one for AUTH with enforced TLS > > You can combine these into just one service by using: > > main.cf: > mua_discard_ehlo_keyword_address_maps = > cidr:${config_directory}/ehlo.cidr > > master.cf: > submission inet ... smtpd > -o > smtpd_discard_ehlo_keyword_address_maps=$mua_discard_ehlo_keyword_address_ > maps > > ehlo.cidr: > 192.0.2.1/32 starttls,silent-discard > > to suppress TLS for some clients, and: > > main.cf: > mua_sender_restrictions = > check_client_access cidr:${config_directory}/tlsclient.cidr > > master.cf: > submission inet ... smtpd > -o smtpd_sender_restrictions=$mua_sender_restrictions > > tlsclient.cidr: > 192.0.2.0/24 DUNNO > 0.0.0.0/0 reject_plaintext_session > > -- > Viktor.
Wow. Thank you! That looks elegant and powerful. It will take me some time for me to absorb. But looking at http://www.postfix.org/postconf.5.html, I don't find mua_discard_ehlo_keyword_address_maps or mua_sender_restrictions. Are those literal names? Where can I find documentation? Thanks, Michael