1Answer
  • 9
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Postfix selectively enforce TLS

I am running postfix in Debian Wheezy as my MTA. I currently have it configured to require secure connections for SMTP.

In main.cf I have:

smtpd_tls_auth_only = yes
smtpd_tls_security_level = encrypt

And then in master.cf, I have:

smtp      inet  n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=yes

This works fine. However, I have a scenario where I need to allow a single email account access to connect without SSL/TLS due to hardware incompatibility. Is there an easy way to make this requirement selective based on the authenticated user? I haven't been able to come across any easy or elegant solutions to accomplish this.

Any thoughts/feedback welcome!

      • 2
    • Don't you have a chicken-and-egg problem? That is to say, with the config above, you can't authenticate until you've negotiated TLS, by which time it's too late to exempt the authenticated user from a TLS requirement.
      • 1
    • Set up a different instance of postfix running on a non standard port in master.cf, and make it much less restrictive.
      • 1
    • @NickW Is there a way to override the smtpd_tls_auth_only and smtpd_tls_security_level on a non standard port though? From what I can see, there isn't. That was my initial thought, but I couldn't figure out how to configure it correctly.
      • 2
    • @NickW scratch that, I think I may have figured it out, not sure why my options weren't registering the other day though!

I was able to accomplish this with the following option in master.cf:

925      inet  n       -       -       -       -       smtpd
  -o smtpd_enforce_tls=no
  -o smtpd_tls_security_level=may
  -o smtpd_tls_auth_only=no

This will allow clients to connect on port 925, without requiring TLS.

  • 1
Reply Report

Trending Tags