TLS-auth only from remote site

  • In order to avoid spamming I changed postfix' configuration in that way, it's not longer possible to relay mails without authentication. So for now, only three user are allowed to relay mails via postfix without authentication:
    authorized_submit_users = root, vu2000, vmail
    Outgoing traffic to port 25, 465 and 587 if blocked by firewall for every user but postfix.

    However, now I want to force every user, to use TLS when auth comes into play. Unfortunately this is a bit tricky, because not every website supports TLS for localhost. In order to avoid long discussions with clients, I'd like to allow local clients to do auth without using TLS. But: for remote-users TLS should be mandatory. As far as I know, postfix doesn't provide a directive to enforce TLS from remote users but allow non-TLS from localhost (whereas dovecot provides something like this). Postfix' gloabil directive is: "smtpd_tls_auth_only = yes"

    So one thing came in my mind: what about defining a new smtpd-process in on a propritary port (2525 for instance) and DNATing (using iptables) all connections from localhost/25 to that port. Like this:

    1. 2525 inet n - y - - smtpd
    2. -o smtpd_tls_auth_only=no

    Unfortunately, this doesn't work. Even on localhost, authentication is mandatory.
    Any suggestions?