Skip to content

Forcing TLS to and from a specific domain

birdwes edited this page Feb 17, 2014 · 5 revisions

There is sometimes a requirement to force TLS to and from a specific list of domains, even though it may optionally be set up globally.

The assumption here is that you have already got an opportunistic TLS implementation working.

Note that nothing here affects verification of TLS certificates, so you remain subject to Man-in-the-Middle attacks.

In your "domainlist" section add e.g.:

domainlist tls_force_domains = : * : : *

In acl_check_rcpt (just before require verify = sender):

deny  message        = This domain ($sender_address_domain) requires a TLS connection which is not present
      sender_domains = +tls_force_domains
      ! encrypted    = *

In routers:

  driver = dnslookup
  domains = +tls_force_domains
  transport = tls_smtp

In transports:

  driver = smtp
  hosts_require_tls = *

In retry (optional)

*                      tls_required F,2h,15m;

PCI Compliance. You may need to add the following just after tls_privatekey

# We need to disable SSL2 and key lengths < 128 bits for PCI compliance

tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+SHA:!MD5:!LOW:!SSLv2:!EXP:!DES