Viktor Dukhovni via Postfix-users:
> On Fri, Jan 17, 2025 at 08:57:02AM +0100, Tobi via Postfix-users wrote:
>
> > > That would be unexpected. I'm implementing support for REQUIRETLS
> > > (RFC 8689) and that code is supposed to try multiple MXes before it
> > > gives up.
> > >
> > > Have you perhaps configured smtp_mx_session_limit=1 ?
> > >
> > > postconf smtp_mx_session_limit
> > postconf smtp_mx_session_limit
> > smtp_mx_session_limit = 2
>
> How many *IP addresses* (IPv4 and IPv6) does the primary MX have? If it
> is more than 1, the behaviour is as expected.
Indeed. If the primary MX is dual-stack, and that server can handle
SMTP sessions, then with "smtp_mx_session_limit = 2", the Postfix
SMTP client will not visit alternate MXes.
A simple workaround is to increase smtp_mx_session_limit.
Even "smtp_mx_session_limit = 3" would make a difference.
Postfix has multiple worst-case workarounds (balancing IPv4 versus
IPv6, randomizing the order of equal-preference IP addresses, and
even limiting the number of IP addresses to consider).
But there was no workaround for the case that a multi-homed server
is available but not "good enough". Maybe Postfix could skip IP
addresses with the same (primary) MX name after a mid-session failure
(TLS to weak, or any error that would result in mail being deferred).
If this is as simple as I think it may be (one been_here() call
with the MX hostname) then it might even go into the stable relases.
Otherwise I'd consider changing the Postfix default to
"smtp_mx_session_limit = 3".
> Enforcing dane-only for a domain that does not publish TLSA RRs for
> all MX hosts imposes a monitoring burden, and willingness to use
> work-arounds, such as filtering the list of MX hosts you're willing
> to accept for the domain perhaps via "smtp_dns_reply_filter".
>
> The real solution is to co-ordinate with the domain owner to either
> enable DANE on all MX hosts, or set up non-DANE secure channel
> via some suitable set of trust anchors, ...
Sure, but Postfix could also be a little smarter about the impact
of "smtp_mx_session_limit = 2" and hosts with multiple IP addresses.
Or we could rearrange the Postfix TLS stack and skip a host when
DANE is required but trust anchors are unavailable.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
