> > So, I'm thinking I need three submission ports:
> > * one for AUTH but no TLS
> > * one for AUTH with opportunistic TLS
> > * one for AUTH with enforced TLS
>
> You can combine these into just one service by using:
>
> main.cf:
> mua_discard_ehlo_keyword_address_maps =
> cidr:${config_directory}/ehlo.cidr
>
> master.cf:
> submission inet ... smtpd
> -o
> smtpd_discard_ehlo_keyword_address_maps=$mua_discard_ehlo_keyword_address_
> maps
>
> ehlo.cidr:
> 192.0.2.1/32 starttls,silent-discard
>
> to suppress TLS for some clients, and:
>
> main.cf:
> mua_sender_restrictions =
> check_client_access cidr:${config_directory}/tlsclient.cidr
>
> master.cf:
> submission inet ... smtpd
> -o smtpd_sender_restrictions=$mua_sender_restrictions
>
> tlsclient.cidr:
> 192.0.2.0/24 DUNNO
> 0.0.0.0/0 reject_plaintext_session
>
> --
> Viktor.
Wow. Thank you! That looks elegant and powerful. It will take me some
time for me to absorb.
But looking at http://www.postfix.org/postconf.5.html, I don't find
mua_discard_ehlo_keyword_address_maps or mua_sender_restrictions. Are those
literal names? Where can I find documentation?
Thanks,
Michael
