My Oracle Support Banner

How to achieve inbound TLS requirement based on domain name rather than IP Address? (Doc ID 2688901.1)

Last updated on JULY 27, 2023

Applies to:

Oracle Communications Messaging Server - Version 8.1.0 and later
Information in this document applies to any platform.


On : Oracle Communications Messaging Server version, Message Store

We have a few SMTP partners who want us to require TLS for connections to or from them.

If we could make this decision based on IP address, we could force channel switching early and that works -- we have done that in other parts of our environment.
But we don't want to have to maintain a list of the IP addresses of our partners MTAs.

The behavior of the thing we are trying to replace was described to us as:
"If we are requiring TLS of and an inbound connection comes from an IP that resolves to, we reject the message if they don't issue STARTTLS.

If outbound mail is to, we try STARTTLS and bounce the message back if we can't initiate TLS.
Likewise, if outbound mail is for and the MX record for is, we try STARTTLS and bounce the message back if we can't initiate TLS."

For outbound, a rewrite rule to send mail to a channel with musttls would suffice -- but that only solves part of the above requirement.

For inbound, our only thought so far is use dns_verify from PORT_ACCESS to do the DNS lookup of the PTR record to find the name; feed that into a mapping lookup to determine if it is a domain that requires TLS and then do the source channel selection.

Any suggestions on how to achieve this requirement?


To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.