We're seeing an odd problem with postfix TLS only when talking to an ironport device. We configured smtp_tls_security_level = none and used smtp_tls_policy_maps to set per site tls policy, rather than doing tls by default.
This had worked perfectly for over months and many thousands of smtp sessions. That is to say, in the common case there was no TLS, but for those domains listed as "may" or "encrypt protocols=TLSv1" in the tls policy maps, a TLS session was set up. We have just started doing business with a firm that uses an ironport device, and discovered that postfix will not issue a STARTTLS to that host, whether it's listed in tls_policy_maps with "may" or "encrypt protocols=TLSv1" After much hair pulling, we discovered that postfix will issue STARTTLS to that server after we specifically change the default setting to smtp_tls_security_level = may. Of course, now postfix sets up a TLS session with any server that offers STARTTLS - but naturally I'd like to spare our cpu cycles for the transactions that need really TLS. I vaguely recall some discussion from the past, where there was some problem when "250 STARTTLS" is the last line issued by a remote smtp server in response to the ehlo. We're running postfix 2.4.5 - I upgraded one box to 2.5.5 but the behavior was unchanged. postconf -n output below: ----------------------------------- alias_database = btree:/etc/aliases alias_maps = btree:/etc/aliases, btree:/etc/mail/aliases.focus, btree:/etc/mail/aliases.lists, btree:/etc/mail/aliases.mexico, btree:/etc/mail/aliases.misc, btree:/etc/mail/aliases.notes, btree:/etc/mail/aliases.pager, btree:/etc/mail/aliases.spam, btree:/etc/mail/aliases.tdpr, btree:/etc/mail/aliases.tfsmexico bounce_queue_lifetime = 5d canonical_maps = btree:/etc/postfix/canonical command_directory = /usr/sbin config_directory = /etc/postfix content_filter = daemon_directory = /usr/lib/postfix debug_peer_level = 2 default_database_type = btree default_destination_concurrency_limit = 8 default_process_limit = 256 defer_transports = disable_dns_lookups = no header_checks = regexp:/etc/postfix/header_checks html_directory = /usr/share/doc/packages/postfix/html inet_interfaces = all mail_owner = postfix mail_spool_directory = /var/mail mailbox_command = mailbox_size_limit = 0 mailbox_transport = mailq_path = /usr/bin/mailq manpage_directory = /usr/share/man masquerade_classes = envelope_sender, header_sender, header_recipient masquerade_domains = masquerade_exceptions = root maximal_queue_lifetime = 5d message_size_limit = 30720000 mime_header_checks = regexp:/etc/postfix/mime_header_checks.regexp mydestination = $myhostname, localhost.$mydomain, /etc/mail/local-host-names myhostname = freeside.mydomain.com mynetworks = cidr:/etc/postfix/mynetworks myorigin = $mydomain newaliases_path = /usr/bin/newaliases parent_domain_matches_subdomains = debug_peer_list, fast_flush_domains, mynetworks, permit_mx_backup_networks, qmqpd_authorized_clients, relay_domains, smtpd_access_maps, transport_maps queue_directory = /var/spool/postfix readme_directory = /usr/share/doc/packages/postfix/README_FILES recipient_canonical_maps = btree:/etc/postfix/recipient_canonical relay_domains = $mydestination, btree:/etc/postfix/relay_domains relay_recipient_maps = btree:/etc/postfix/relay_recipients relayhost = relocated_maps = btree:/etc/postfix/relocated sample_directory = /usr/share/doc/packages/postfix/samples sender_canonical_maps = btree:/etc/postfix/sender_canonical sendmail_path = /usr/sbin/sendmail setgid_group = maildrop smtp_generic_maps = regexp:/etc/postfix/generic.regexp smtp_tls_CAfile = /etc/postfix/ssl/ca-bundle.crt smtp_tls_cert_file = /etc/postfix/ssl/freeside.mydomain.com.crt smtp_tls_key_file = /etc/postfix/ssl/freeside.mydomain.com.key smtp_tls_loglevel = 1 smtp_tls_note_starttls_offer = yes smtp_tls_policy_maps = btree:/etc/postfix/tls_policy_maps smtp_tls_security_level = may smtp_tls_session_cache_database = sdbm:/etc/postfix/smtp_scache smtp_tls_session_cache_timeout = 3600s smtp_use_tls = yes smtpd_banner = $myhostname ESMTP $mail_name ($mail_version) smtpd_data_restrictions = reject_unauth_pipelining smtpd_delay_reject = yes smtpd_error_sleep_time = 60 smtpd_hard_error_limit = 20 smtpd_helo_required = yes smtpd_helo_restrictions = smtpd_recipient_restrictions = check_recipient_access btree:/etc/postfix/recipient_bypass permit_mynetworks, reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_unauth_destination, reject_rbl_client b.barracudacentral.org, reject_rbl_client zen.spamhaus.org, reject_rbl_client bl.spamcop.net, check_policy_service inet:10.63.12.80:10031 check_recipient_access btree:/etc/postfix/access, permit smtpd_sender_restrictions = check_sender_access btree:/etc/postfix/sender_bypass check_sender_access btree:/etc/postfix/access, permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, reject_unknown_recipient_domain, permit smtpd_soft_error_limit = 10 smtpd_tls_CAfile = /etc/postfix/ssl/ca-bundle.crt smtpd_tls_cert_file = /etc/postfix/ssl/freeside.mydomain.com.crt smtpd_tls_key_file = /etc/postfix/ssl/freeside.mydomain.com.key smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_session_cache_database = sdbm:/etc/postfix/smtpd_scache smtpd_tls_session_cache_timeout = 3600s smtpd_use_tls = yes strict_rfc821_envelopes = no tls_random_source = dev:/dev/urandom transport_maps = btree:/etc/postfix/transport unknown_local_recipient_reject_code = 550
