Am 04.03.2014 09:25, schrieb Robert Sander: > On 03.03.2014 18:06, Viktor Dukhovni wrote: > >> The problem is indeed man-made. DO NOT unilaterally configure >> mandatory TLS. To use TLS, the other side has to signal support >> for TLS (be it a bilateral agreement to use mandatory TLS, >> opportunistic DANE TLS, or just STARTTLS in the EHLO response). > > Yes, the "problem" is man-made. > > We want to provide a service to our users where they can choose if they > want to require TLS on the MTA connection based on the domain from where > they send mails from or to which they receive mails. > > The bounce message is needed to inform them that their communication > partner's MTA is not able to speak TLS with us. Then they can decide if > they want to send the message via unencrypted channel or not.
you might do a deeper look in the postfix doku , and you will find an acceptable workaround, your "man made problem" was no suprise. And however you have tls working ,you can only promise secure send next best mx hop, you will never have have full control of the whole "mail pass chain". So promise users "secure mail" is always problematic, you can only serve mail as secure as possible, everything else is just marketing speak. > > The "require TLS between MTAs" feature is completely optional. > > Regards > Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
