Using amavisd forward_method or forward_methods_by_ccast_maps to force TLS for certain domains

[Thomas Johnson]

We've got a large number of domains for which we filter email.  Some of
them have specific destinations to which they want to enforce TLS, bouncing
email destined to that domain if TLS is not available.  (they need to
require it - opportunistic TLS isn't enough for them for certain domains).

We can't use the standard postfix maps, because while one user might want
to force TLS to, say gmail.com, another might not.

So we need to basically look up the recipient domain to see if it's in a
list that where the sender wants TLS to be forced and then send it to a
postfix instance that enforces TLS.  I'm looking for the best way to handle
this, and am asking for any ideas or opinions.

Obviously, we're going to do some sort of a lookup based on the sender and
recipient domains to decide if an outbound message should go to a postfix
instance that forces tls.

I thought of doing this with a custom_hook (before_send, perhaps), that
would  the forward_method for a particular recipient.

I also noted the forward_method_maps_by_ccat option.....perhaps we would
create a new ccat that means "deliver by tls"?  And then use
forward_method_maps_by_ccat to map that to a different forward instance.
 This seems cleaner, as far as delivery goes....but is there a way to add
an additional major contents_category constants in a well-supported way
that doesn't involve modifying the amavisd-new source code?

Or is there some great way to do this in postfix that isn't occurring to me?


Thanks-

Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.amavis.org/pipermail/amavis-users/attachments/20130722/ba361d2d/attachment.html>