Transport Layer Security (TLS) can be easily configured on an SMTP listener using the following configuration snippet:
ESMTP_Listener {
Listen ":25" {
TLS_Certificate = "/path/to/cert.pem"
TLS_Key = "/path/to/key.pem"
TLS_Client_CA = "/path/to/clientca.bundle"
TLS_Ciphers = "DEFAULT"
TLS_Verify_Mode = "require"
SMTP_Extensions = ( "ENHANCEDSTATUSCODES" "STARTTLS" )
}
}
The following are the configuration options related to inbound TLS:
-
tls_verified_peer_can_relay
If client certificate verification fails, the SMTP session does not terminate. The TLS status is stored in predefined context validation variables, so it is possible to drive TLS policy from policy scripts. You can use this to reject messages when client verification failed. For more information regarding the TLS-related context variables, see “Global Predefined Connection Context Variables”.
Was this page helpful?