Can you set Postfix to enforce TLS on incoming email only from certain domains or IPs?

Yes, you can - with a little engineering :)

Since you say you want to enforce TLS based on sender domain, you add a check_sender_access restriction to your smtpd_sender_restrictions, like so:

smtpd_sender_restrictions = check_sender_access hash:/etc/postfix/enforced_tls

and in /etc/postfix/enforced_tls:

@example.org   reject_plaintext_session
@example.net   reject_plaintext_session

Don't forget to postmap the file, and reload postfix when you're done.


/etc/postfix/enforced_tls must be in this format:

example.org   reject_plaintext_session
example.net   reject_plaintext_session

refer to http://www.postfix.org/access.5.html

Tags:

Postfix

Recent Posts