From 374bcb5f4944279fba8b4a576a8f883c4241443a Mon Sep 17 00:00:00 2001
From: Christoph Heiss <c.heiss@proxmox.com>
Date: Mon, 20 Mar 2023 11:35:48 +0100
Subject: [PATCH] pmgconfig: Explain new TLS inbound domains configuration

Signed-off-by: Christoph Heiss <c.heiss@proxmox.com>
 [ S.I.: mention that the setting is only on the external port ]
Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 pmgconfig.adoc | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/pmgconfig.adoc b/pmgconfig.adoc
index fea26db..564b87c 100644
--- a/pmgconfig.adoc
+++ b/pmgconfig.adoc
@@ -97,6 +97,10 @@ Stores your subscription key and status.
 
 TLS policy for outbound connections.
 
+`/etc/pmg/tls_inbound_domains`::
+
+Sender domains for which TLS is enforced on inbound connections.
+
 `/etc/pmg/transports`::
 
 Message delivery transport setup.
@@ -495,6 +499,13 @@ This can be used if you need to prevent email delivery without
 encryption, or to work around a broken 'STARTTLS' ESMTP implementation. See
 {postfix_tls_readme} for details on the supported policies.
 
+Additionally, TLS can also be enforced on incoming connections on the external
+port for specific sender domains by creating a TLS inbound domains entry. Mails
+with matching domains must use a encrypted SMTP session, otherwise they are
+rejected. All domains on this list have and entry of
+https://www.postfix.org/postconf.5.html#reject_plaintext_session[`reject_plaintext_session`]
+in a `check_sender_access` table.
+
 Enable TLS logging::
 
 To get additional information about SMTP TLS activity, you can enable