You may discover sender addresses that submitted unencrypted e-mails by parsing Postfix logs, as @F.sb said. However, in my test environment, I see that Postfix does not log sender address if smtpd_tls_security_level is set to encrypt (or, in an equivalent manner, smtpd_enforce_tls is set to yes). Therefore, in order to get sender addresses from logs, smtpd_tls_security_level must be set to may and unencrypted messages must be rejected during the RCPT TO step. In order to achieve that, include reject_plaintext_session into smtpd_recipient_restrictions and set plaintext_reject_code to 530. For example:
# /etc/postfix/main.cf smtpd_tls_security_level = may smtpd_tls_cert_file = /etc/postfix/postfix.crt smtpd_recipient_restrictions = reject_unauth_destination,reject_plaintext_session,permit plaintext_reject_code = 530
Then, you can configure rsyslog to run a custom executable and supply Postfix logs via STDIN. For example:
# /etc/rsyslog.d/postfix-logs.conf module(load="omprog") template(name="PostfixLogs" type="string" string="%syslogtag% %msg%\n") :syslogfacility-text, isequal, "mail" action(type="omprog" binary="/usr/local/bin/postfix-tls-notify.sh" template="PostfixLogs")
In that custom executable, you will be able to catch sender addresses through sed and send the automatic replies:
# /usr/local/bin/postfix-tls-notify.sh /usr/bin/sed -run 's/^postfix\/smtpd(|\[[0-9]+\]):\s+noqueue:\s+reject:\s+rcpt\s+from\s+[^;]+session\s+encryption\s+is\s+required;\s+from=<([^>; ]+)>.*$/\2/ip' | while read sender; do /usr/bin/mailx -s 'Automatic notification' "${sender}" <<'MESSAGE' Please, send your inquiries by using https://www.example.com/contact.html MESSAGE done
Note: SELinux may prevent rsyslog from sending local messages through sendmail (which is invoked by mailx). If it happens, configure rsyslog to run in permissive mode by issuing the command semanage permissive -a syslogd_t.
