Maytls, maytlsclient, maytlsserver, musttls, musttlsclient, musttlsserver, notls, notlsclient, notlsserver, tlsswitchchannel Options

From MsgServerDocWiki

Transport Layer Security (maytls, maytlsclient, maytlsserver, musttls, musttlsclient, musttlsserver, notls, notlsclient, notlsserver, tlsswitchchannel)

The maytls, maytlsclient, maytlsserver, musttls, musttlsclient, musttlsserver, notls, notlsclient, notlsserver, and tlsswitchchannel channel options are used to configure TLS use during the SMTP protocol by SMTP based channels such as TCP/IP channels.

notlsis the default, and means that TLS will not be permitted or attempted. It subsumes the notlsclient channel option, which means that TLS use will not be attempted by the SMTP client on outgoing connections (the STARTTLS command will not be issued during outgoing connections) and the notlsserver channel option, which means that TLS use will not be permitted by the SMTP server on incoming connections (the STARTTLS extension will not be advertised by the SMTP server nor the command itself accepted).

Specifying maytls causes the MTA to offer TLS to incoming connections and to attempt TLS upon outgoing connections. It subsumes maytlsclient, which means that the SMTP client will attempt TLS use when sending outgoing messages, if sending to an SMTP server that supports TLS, and maytlsserver, which means that the SMTP server will advertise support for the STARTTLS extension and will allow TLS use when receiving messages.

Specifying musttls will cause the MTA to insist upon TLS in both outgoing and incoming connections; e-mail will not be exchanged with remote systems that fail to successfully negotiate TLS use. It subsumes musttlsclient, which means that the SMTP client will insist on TLS use when sending outgoing messages and will not send to SMTP servers that do not successfully negotiate TLS use (the MTA will issue the STARTTLS command and that command must succeed), and musttlsserver, which means that the SMTP server will advertise support for the STARTTLS extension and will insist upon TLS use when receiving incoming messages and will not accept messages from clients that do not successfully negotiate TLS use. When musttls or musttlsserver is on a channel, then unless TLS has been successfully negotiated all MAIL FROM: attempts will be rejected with the error:

530 5.7.0 No STARTTLS command has been given. 

The tlsswitchchannel channel option is used to cause incoming connections to be switched to a specified channel upon a client's successful TLS negotiation. (This includes either successful STARTTLS use on a "regular" port, or use of the deprecated approach of negotiating upon connection to a "dedicated to TLS" port, usually port 465, configured via the Dispatcher's TLS_PORT option.) It takes a required value, specifying the channel to which to switch.

Note that TLS library initialization is performed for any SMTP channel which has any TLS usage permitted (or required). In particular, TLS library initialization will be performed by the TCP client for a channel marked merely maytlsserver. (This overhead is normally fairly neglible.)