On Sat, Apr 19, 2025 at 05:12:06PM +0200, Florian Piekert via Postfix-users wrote:
> #smtp_tls_security_level = may > smtp_tls_security_level = encrypt > > for a while, until just now. When I noticed that some target mx > destination had delivery issues with this, I put the exception in my > smtp_tls_policy_maps file, prior postfix-tlspol. > > However, even with the exception > mx2.neumuenster.de may > in the tls_policy... file, I received > Apr 19 16:57:39 theater postfix/smtp[103385]: A2235122AC02: enabling PIX > workarounds: disable_esmtp for mx2.neumuenster.de[212.7.145.246]:25 You might instead try: # Mostly obsolete now: smtp_pix_workarounds = After which, you'll get working TLS for this site: $ posttls-finger neumuenster.de posttls-finger: Connected to mx2.neumuenster.de[212.7.145.246]:25 posttls-finger: < 220 ************************ posttls-finger: > EHLO ... posttls-finger: < 250-mx2.neumuenster.de posttls-finger: < 250-8BITMIME posttls-finger: < 250-SIZE 36700160 posttls-finger: < 250 STARTTLS posttls-finger: > STARTTLS posttls-finger: < 220 Go ahead with TLS posttls-finger: certificate verification failed for mx2.neumuenster.de[212.7.145.246]:25: untrusted issuer /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2 posttls-finger: mx2.neumuenster.de[212.7.145.246]:25: subject_CN=*.neumuenster.de, issuer=Thawte TLS RSA CA G1, cert fingerprint=0A:D5:7D:56:D9:33:36:62:15:60:D7:D7:69:12:1F:92:81:83:5A:93:A5:28:E7:92:7C:43:41:69:C3:CB:F3:12, pkey fingerprint=4E:75:79:CE:0F:14:13:A1:AF:C4:73:82:66:6F:4E:C9:F0:8D:7A:52:1D:DA:3A:14:B7:93:7E:BF:96:8B:A8:51 posttls-finger: Untrusted TLS connection established to mx2.neumuenster.de[212.7.145.246]:25: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) posttls-finger: > EHLO ... posttls-finger: < 250-mx2.neumuenster.de posttls-finger: < 250-8BITMIME posttls-finger: < 250 SIZE 36700160 posttls-finger: > QUIT posttls-finger: < 221 mx2.neumuenster.de If you want to be more cautious, disable the PIX workarounds for just the IP address in question: smtp_pix_workarounds_maps = cidr:{{ {if !212.7.145.246 {0.0.0.0/0 $smtp_pix_workarounds} {endif} } But it may be time for Postfix to no longer enable the PIX workarounds by default. -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org