Thanks for your quick reply Viktor. OK now I understand that what I am trying to do can't be done. If someone could implement the feature you suggest (wrapper mode is enabled conditionally, only when the port is 465, and not when it is some other port) that would of course be ideal.
Background: smtp.virginmedia.net imposes some absurdly small limit on the number of emails it will relay, I suppose because they deem it a residential service. The reason I am trying to do this is that our 'normal' relay server signs all emails (dkim) and this is good for emails we are sending out but not good for emails we are receiving in (because these can include all sorts of spam, and the signing falsely indicates them to be from us), so I wanted to use Virgin's smtp server - which doesn't re-sign emails - just to handle these incoming emails (and pass them on to our real external mailboxes). Clearly I have to think again! Apologies for double-posting my original question, I thought the first one had not got through. Dominic On 14 September 2016 at 13:30, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > On Wed, Sep 14, 2016 at 01:11:53PM +0100, Dominic Raferd wrote: > > > I am using Postfix 3.1.0 and following instructions at > > http://www.postfix.org/TLS_README.html#client_smtps to set up for > sending > > some (recipient dependent) emails via smtps (whereas others go over TLS > to > > a different relay server). > > Otherwise also called "TLS wrapper mode" in which a TLS handshake > takes place immediately after the TCP 3-way hanshake, and the SMTP > session runs inside TLS. Note that: > > smtp_tls_wrappermode = yes > > is a global setting for the transport, that is, it depends only > on the transport used, not the nexthop domain. > > > So when it fails, Postfix falls back using the hosts > > specified in main.cf's smtp_fallback_relay (*not* relayhost, which is > used > > for emails that don't have a match in the transport list). > > It does not matter whether "smtp_fallback_relay" is in main.cf or > in master.cf specified per transport. Either way, the fallback > delivery always uses the same transport agent used for the primary > nexthop. Which means that smtp_fallback_relay will use smtps, > when the primary nexthop uses smtps. This does not depend on > the nexthop destination's port number. > > What you're looking for is a new feature, in which wrapper mode is > enabled conditionally, only when the port is 465, and not when it > is some other port. That code has not been written. > > It is hard to imagine why an MSA on port 465 would implement quotas. > Generally, port 465 MSAs just do outbound submission, and not > inbound mailbox delivery. Is there some provider that's mixing > up these services? Is this configuration self-inflicted? > > If the primary MSA provider also supports STARTTLS on port 587, > use that instead, and don't enable TLS wrapper mode. > > -- > Viktor. >
