Prev: local delivery fails ((unknown mail transport error) when combined with mailbox_transport_maps
Next: different IP for outbound mail
From: "Jan C." on 15 Jun 2010 04:00
Hello,
I have Postfix with TLS policy maps set up to send traffic via TLS to
remote MTAs. I'm writing an application which should be able to
determine if an email to given domain will be sent through an TLS
connection or not, just by reading the Postfix configuration. I
thought that having a look in the smtp_tls_policy_maps will be enough
e.g.
"gmail.com encrypt"

This works for domains which are looked up via DNS MX. Now, since the
gmail MTAs do not support TLS, I add the following transport mapping
in transport_maps
"gmail.com smtp.gmail.com:587"

Now the previous entry in smtp_tls_policy_maps does not work anymore
and I have to add a new one:
"smtp.gmail.com:587 encrypt"

So If I want to determine if an email to gmail.com is supposed to be
sent via TLS, the pseudo algorithm would be something like

IF "gmail.com" is *not* present in $transport_maps file
THEN
look for "gmail.com" in smtp_tls_policy_maps
ELSE
find the corresponding mapping for "gmail.com" in (in my
example smtp.gmail.com:587) and look for the mapping in
smtp_tls_policy_maps

Then simply look at the TLS policy mapping to see which level of TLS is used.

is that correct ?


Thanks for your help,
Jan

From: Victor Duchovni on 15 Jun 2010 09:26
On Tue, Jun 15, 2010 at 10:00:51AM +0200, Jan C. wrote:

> This works for domains which are looked up via DNS MX. Now, since the
> gmail MTAs do not support TLS, I add the following transport mapping
> in transport_maps
> "gmail.com smtp.gmail.com:587"

Don't. This is a submission service. Not an MX service. MX hosts are
on port 25.

--
Viktor.

From: "Jan C." on 15 Jun 2010 11:03
Hi Victor,
I know this is a submission service and this was only for
illustration/testing purpose.

I just want to be sure how I can find a domain's TLS mapping from the
smtp_tls_policy_maps when transport mappings are involved.

Thanks,
Jan

From: Victor Duchovni on 15 Jun 2010 11:10
On Tue, Jun 15, 2010 at 05:03:08PM +0200, Jan C. wrote:

> Hi Victor,
> I know this is a submission service and this was only for
> illustration/testing purpose.
>
> I just want to be sure how I can find a domain's TLS mapping from the
> smtp_tls_policy_maps when transport mappings are involved.

TLS policy is based on the nexthop domain. If the transport table
overrides the nexthop, then TLS policy will use that nexthop as
documented.

--
Viktor.

From: "Jan C." on 17 Jun 2010 09:25
ok thanks.

Jan

 | 
Pages: 1
Prev: local delivery fails ((unknown mail transport error) when combined with mailbox_transport_maps
Next: different IP for outbound mail