Tobi via Postfix-users:
> Hi list
>
> we have an issue with mail delivery. We use tlspol to tell postfix if
> mta-sts or DANE should be used for a recipient domain. Now we have the
> case that a rcpt domain has 3 MX records. The first one with prio 0 has
> **no** TLSA records but the other two (prio 10 and 20) have proper TLSA
> records. The zone itself is properly DNSSec signed. tlspol returns
> dane-only to postfix in that case. Now it seems that postfix only tries
> the first MX, sees that there is no TLSA and defers the message.
> Should postfix in such cases not try the next MX as well? Is that the
> intended behaviour? I somehow would have expected that postfix handles
> this like a temp failure of a MX and therefore try the next one.
That would be unexpected. I'm implementing support for REQUIRETLS
(RFC 8689) and that code is supposed to try multiple MXes before it
gives up.
Have you perhaps configured smtp_mx_session_limit=1 ?
postconf smtp_mx_session_limit
postconf -P '*/*/smtp_mx_session_limit'
(same question for smtp_mx_address_limit=1).
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
