My Oracle Support Banner

How to achieve inbound TLS requirement based on domain name rather than IP Address? (Doc ID 2688901.1)

Last updated on JULY 10, 2020

Applies to:

Oracle Communications Messaging Server - Version 8.1.0 and later
Information in this document applies to any platform.

Goal

On : Oracle Communications Messaging Server 8.1.0.6.20200618 version, Message Store

We have a few SMTP partners who want us to require TLS for connections to or from them.

If we could make this decision based on IP address, we could force channel switching early and that works -- we have done that in other parts of our environment.
But we don't want to have to maintain a list of the IP addresses of our partners MTAs.

The behavior of the thing we are trying to replace was described to us as:
"If we are requiring TLS of example.com and an inbound connection comes from an IP that resolves to mail.server.example.com, we reject the message if they don't issue STARTTLS.

If outbound mail is to user@example.com, we try STARTTLS and bounce the message back if we can't initiate TLS.
Likewise, if outbound mail is for user@somedomain.com and the MX record for somedomain.com is mail.server.example.com, we try STARTTLS and bounce the message back if we can't initiate TLS."

For outbound, a rewrite rule to send mail to a channel with musttls would suffice -- but that only solves part of the above requirement.

For inbound, our only thought so far is use dns_verify from PORT_ACCESS to do the DNS lookup of the PTR record to find the name; feed that into a mapping lookup to determine if it is a domain that requires TLS and then do the source channel selection.

Any suggestions on how to achieve this requirement?
 

Solution

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Goal
Solution


My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.