Victor Duchovni wrote: > On Wed, Feb 25, 2009 at 04:50:49PM -0800, J Sloan wrote: > > >> We have just started doing business with a firm that uses an ironport >> device, and discovered that postfix will not issue a STARTTLS to that >> host, whether it's listed in tls_policy_maps with "may" >> or "encrypt protocols=TLSv1" >> > > The policy table lookup key does not match the destination nexthop, or > your indexed table does not contain what you believe it does. >
That's probably what I would have said to someone with the same symptoms. Dunno. In any case, I can always benefit from a fresh perspective. Here is the relevant entry from tls_policy_maps: kenion.com encrypt protocols=TLSv1 Feb 25 17:43:17 freeside postfix/smtp[16139]: ADA1130FED: to=<u...@kenion.com>, relay=65.246.216.42[65.246.216.42]:25, delay=0.68, delays=0.1/0/0.5/0.08, dsn=5.0.0, status=bounced (host 65.246.216.42[65.246.216.42] said: 530 #5.7.0 Must issue a STARTTLS command first (in reply to MAIL FROM command)) The one thing different about this domain is that we have a transport entry for them which specifies the IP of their ironport device. (long story) It's not clear to me how that would affect the TLS settings, but I'll entertain any ideas at this point. We have about 50 domains listed in tls_policy_maps, and up until the issue with this domain, postfix has behaved exactly as expected with all of them. Joe
