How to achieve inbound TLS requirement based on domain name rather than IP Address?
(Doc ID 2688901.1)
Last updated on MAY 10, 2021
Applies to:Oracle Communications Messaging Server - Version 8.1.0 and later
Information in this document applies to any platform.
On : Oracle Communications Messaging Server 22.214.171.124.20200618 version, Message Store
We have a few SMTP partners who want us to require TLS for connections to or from them.
If we could make this decision based on IP address, we could force channel switching early and that works -- we have done that in other parts of our environment.
But we don't want to have to maintain a list of the IP addresses of our partners MTAs.
The behavior of the thing we are trying to replace was described to us as:
"If we are requiring TLS of example.com and an inbound connection comes from an IP that resolves to mail.server.example.com, we reject the message if they don't issue STARTTLS.
If outbound mail is to firstname.lastname@example.org, we try STARTTLS and bounce the message back if we can't initiate TLS.
Likewise, if outbound mail is for email@example.com and the MX record for someexample.com is mail.server.example.com, we try STARTTLS and bounce the message back if we can't initiate TLS."
For outbound, a rewrite rule to send mail to a channel with musttls would suffice -- but that only solves part of the above requirement.
For inbound, our only thought so far is use dns_verify from PORT_ACCESS to do the DNS lookup of the PTR record to find the name; feed that into a mapping lookup to determine if it is a domain that requires TLS and then do the source channel selection.
Any suggestions on how to achieve this requirement?
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document