Re: weird postfix TLS behaviour

Wed, 25 Feb 2009 18:04:12 -0800 

On Wed, Feb 25, 2009 at 05:50:07PM -0800, J Sloan wrote:

> Victor Duchovni wrote:
> > On Wed, Feb 25, 2009 at 04:50:49PM -0800, J Sloan wrote:
> >
> >   
> >> We have just started doing business with a firm that uses an ironport
> >> device, and discovered that postfix will not issue a STARTTLS to that
> >> host, whether it's listed in tls_policy_maps with "may"
> >> or "encrypt protocols=TLSv1"
> >>     
> >
> > The policy table lookup key does not match the destination nexthop, or
---------------------------------------------------===================----
> > your indexed table does not contain what you believe it does.
> >   
> 
> That's probably what I would have said to someone with the same
> symptoms. Dunno. In any case, I can always benefit from a fresh perspective.

That's exactly the problem.

> Here is the relevant entry from tls_policy_maps:
> 
> kenion.com              encrypt protocols=TLSv1
> 
> Feb 25 17:43:17 freeside postfix/smtp[16139]: ADA1130FED:
> to=<u...@kenion.com>, relay=65.246.216.42[65.246.216.42]:25, delay=0.68,
> delays=0.1/0/0.5/0.08, dsn=5.0.0, status=bounced (host
> 65.246.216.42[65.246.216.42] said: 530 #5.7.0 Must issue a STARTTLS
> command first (in reply to MAIL FROM command))
> 
> The one thing different about this domain is that we have a transport
> entry for them which specifies the IP of their ironport device. (long
> story) It's not clear to me how that would affect the TLS settings, but
> I'll entertain any ideas at this point.

I think you should be able to figure this out, even without reading the
below, but if you are in a hurry try the documentation:

    http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps

    http://www.postfix.org/TLS_README.html#client_tls_policy

-- 
        Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Reply via email to