My apologies, I grabbed the wrong snippet of log file (same host, different server). Here is the entire connection log (I changed only the domain name and xxx'd the ip address):
Mar 3 06:36:10 host postfix/smtp[22224]: initializing the client-side TLS engine Mar 3 06:36:11 host postfix/smtp[22224]: setting up TLS connection to smtp1.example.com[70.186.xxx.xxx]:25 Mar 3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH" Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:before/connect initialization Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:unknown state Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server hello A Mar 3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority Mar 3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=2 verify=0 subject=/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority Mar 3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=1 verify=1 subject=/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU= http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287 Mar 3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: certificate verification depth=0 verify=1 subject=/O= smtp1.example.com/OU=Domain Control Validated/CN=smtp1.example.com Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server certificate A Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read server done A Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write client key exchange A Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write change cipher spec A Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 write finished A Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 flush data Mar 3 06:36:11 host postfix/smtp[22224]: SSL_connect:SSLv3 read finished A Mar 3 06:36:11 host postfix/smtp[22224]: smtp1.example.com[70.186.xxx.xxx]:25: subject_CN=smtp1.example.com, issuer_CN=Go Daddy Secure Certification Authority, fingerprint 93:28:E6:D5:F1:6F:FD:34:09:8B:BF:52:35:BB:94:6C, pkey_fingerprint=E4:A4:55:48:AF:85:C5:A0:51:25:94:B8:57:54:D5:50 Mar 3 06:36:11 host postfix/smtp[22224]: Untrusted TLS connection established to smtp1.example.com[70.186.xxx.xxx]:25: TLSv1 with cipher DES-CBC3-SHA (168/168 bits) Mar 3 06:36:11 host postfix/smtp[22224]: SSL3 alert write:fatal:protocol version Mar 3 06:36:11 host postfix/smtp[22224]: warning: TLS library problem: 22224:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:340: Mar 3 06:36:11 host postfix/smtp[22224]: ACFBAD746C: to=<br...@example.com>, relay=smtp1.example.com[70.186.xxx.xxx]:25, delay=222575, delays=222574/0.01/1/0, dsn=4.4.2, status=deferred (lost connection with smtp1.example.com[70.186.xxx.xxx] while sending MAIL FROM) As I said, I was trying to understand what was supposed to work in turning off TLS for a specific domain. I understand that I should be able to do it by specifying "example.com none" in tls_policy. I will test using smtp_tls_policy_maps, as well as testing using smtpd_discard_ehlo_keyword_address_maps Thank you again, and again my apologies for grabbing the wrong snippet of log file. JL Hill On Fri, Mar 15, 2013 at 6:33 PM, Viktor Dukhovni <postfix-us...@dukhovni.org > wrote: > On Fri, Mar 15, 2013 at 05:19:30PM -0400, JL Hill wrote: > > > I feel more confused. I had originally tested > > > > example.com none > > > > and it failed. I searched the documentation, and found .example.com to > use > > for subdomains, so I thought that would fit my case as the negotiation is > > with smtp2.example.com, even though I am emailing john....@example.com > > > > When I tested without the dot, sending to john....@example.com my log > shows > > "Host offered STARTTLS: [smtp2.example.com]" > > This means that TLS was NOT used. This is a helpful log message that > tells you could use TLS, but you're not. Your configuration turns > on this non-default helpful log message. > > # default: > smtp_tls_note_starttls_offer = no > > -- > Viktor. >
