On Fri, Nov 07, 2025 at 11:30:29AM -0500, pgnd via Postfix-users wrote:
> considering ( as i do somewhat frequently ) use of postfix inbound config
> that instead contains a stricter,
>
> [mx.example.net]:25 inet n - n - 1 postscreen
> -o postscreen_tls_security_level=encrypt
> -o smtpd_service_name=ps-int
> ...
>
> ps-int pass - - n - - smtpd
> -o smtpd_tls_security_level=encrypt
> ...
>
> where, all non-TLS inbound email is refused.
I would not do this, if ever there's a problem with your STARTTLS
support, nobody will be able to send you email alerting you to the
problem. And of course you might some day miss an important
time-senstive message you might regret not receiving.
I've been unable to send DANE survey notices to some domains with
this policy, when the domain (I hope inadvertently) no longer offers
STARTTLS, or STARTTLS is offered but fails. The problem is not just
theoretical.
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
