It is like I said that I did this to myself. I was looking under the wrong cup in the Shell Game!
Yesterday I had a change to trasnport from 'pf-out' not over the open internet only over my private internet with a VPN. I did this with reading a posting from another person. I changed the http://main.cf for 'pf-out' - relay_transport = relay:[XX.XX.XX.XX]:25 + relay_transport = relay2:[192.168.1.66]:25 In the http://master.cf config for 'pf-out' there is relay unix - - n - - smtp -o smtp_bind_address=YY.YY.YY.YY relay2 unix - - n - - smtp -o smtp_bind_address=192.168.0.15 Returning the change - relay_transport = relay2:[192.168.1.66]:25 + relay_transport = relay:[XX.XX.XX.XX]:25 it is sending again with no TLS errors. I think it is some more firewall rules I need on the server so that TLS negotiation may be okay in bi-direction. But I do not yet see any DROP infos in the logs I am looking into. I think it is strange in the Postfix log it is showing only the 'smtp' service name not the 'relay2' name. It was some misdirection for me. May be it can be done to add some more labels. Thanks for the advise to look with telnet and very much watch in detail the step-by-step sending through each IP and port. Now I must understand the missing rules in the firewall. *S*
