From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 8349791D30 for ; Mon, 20 Mar 2023 11:36:33 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 65B3128F2 for ; Mon, 20 Mar 2023 11:36:03 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 20 Mar 2023 11:36:02 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 23D2B45A38 for ; Mon, 20 Mar 2023 11:36:02 +0100 (CET) From: Christoph Heiss To: pmg-devel@lists.proxmox.com Date: Mon, 20 Mar 2023 11:35:48 +0100 Message-Id: <20230320103548.382757-5-c.heiss@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230320103548.382757-1-c.heiss@proxmox.com> References: <20230320103548.382757-1-c.heiss@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pmg-devel] [PATCH v2 pmg-docs 4/4] pmgconfig: Explain new TLS inbound domains configuration X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2023 10:36:33 -0000 Signed-off-by: Christoph Heiss --- Changes v1 -> v2: * Rename 'TLS inbound policy' to 'TLS inbound domains' * Add link to postconf(5) section for `reject_plaintext_session` pmgconfig.adoc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/pmgconfig.adoc b/pmgconfig.adoc index fea26db..9a57d06 100644 --- a/pmgconfig.adoc +++ b/pmgconfig.adoc @@ -97,6 +97,10 @@ Stores your subscription key and status. TLS policy for outbound connections. +`/etc/pmg/tls_inbound_domains`:: + +Sender domains for which TLS is enforced on inbound connections. + `/etc/pmg/transports`:: Message delivery transport setup. @@ -495,6 +499,13 @@ This can be used if you need to prevent email delivery without encryption, or to work around a broken 'STARTTLS' ESMTP implementation. See {postfix_tls_readme} for details on the supported policies. +Additionally, TLS can also be enforced on incoming connections for specific +sender domains by creating a TLS inbound domains entry. Mails with matching +domains must use a encrypted SMTP session, otherwise they are rejected. All +domains on this list have the +https://www.postfix.org/postconf.5.html#reject_plaintext_session[`reject_plaintext_session`] +postfix parameter set. + Enable TLS logging:: To get additional information about SMTP TLS activity, you can enable -- 2.39.2