Hello,
We've an SMTP-Server, running intentionally with
"smtpd_tls_security_level = encrypt"
If an SMTP-Client fail to establish an TLS connection, the client
fallback to plaintext.
That's nothing we could avoid.
What I see, is a session like this:
# swaks --from from@from.example --to to@to.example
=== Trying to.example:25...
=== Connected to to.example.
<- 220 to.example ESMTP
-> EHLO from.example
<- 250-to.example
<- 250-SOMETHING
<- 250 STARTTLS
-> MAIL FROM:<from@from.example>
<** 530 5.7.0 Must issue a STARTTLS command first
-> QUIT
<- 221 2.0.0 Bye
The response "Must issue a STARTTLS command first" is correct. But
it's hard for a SMTP client's admin to notice,
an TLS session failed before. So I would like to see a response like
"530 5.7.0 check why TLS wasn't established, maybe update yout client,
see https://example/more_text_here";
One would suggest to use smtpd_reject_footer. It's already used here
and it's generic for many different replys (with generic informations
about the SMTP-client in our case)
I know, there is an smtpd_recipient_restriction
"reject_plaintext_session" but I only found the option to change the
replycode (plaintext_reject_code)
So, this doesn't help directly and it also may be an other layer...
Is there any other option than patching postfix' source code?
Andreas
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
