On Fri, Jan 17, 2025 at 08:57:02AM +0100, Tobi via Postfix-users wrote:
> > That would be unexpected. I'm implementing support for REQUIRETLS
> > (RFC 8689) and that code is supposed to try multiple MXes before it
> > gives up.
> >
> > Have you perhaps configured smtp_mx_session_limit=1 ?
> >
> > postconf smtp_mx_session_limit
> postconf smtp_mx_session_limit
> smtp_mx_session_limit = 2
How many *IP addresses* (IPv4 and IPv6) does the primary MX have? If it
is more than 1, the behaviour is as expected.
Enforcing dane-only for a domain that does not publish TLSA RRs for
all MX hosts imposes a monitoring burden, and willingness to use
work-arounds, such as filtering the list of MX hosts you're willing
to accept for the domain perhaps via "smtp_dns_reply_filter".
The real solution is to coördinate with the domain owner to either
enable DANE on all MX hosts, or set up non-DANE secure channel
via some suitable set of trust anchors, ...
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
