> On Sep 18, 2018, at 5:58 AM, Stefan Bauer <cubew...@googlemail.com> wrote: > > I noticed the following today. Is this part of the standard?
You should have asked "is this expected behaviour in Postfix"? And the answer is "yes". > For recipient domain: > > MX 5 mx1.recipient.com - does not support TLS and refused delivery with temp > error > MX 10 mx2.recipient.com - does support TLS and took the mail > > Sep 18 10:36:29 B245080E75: TLS is required, but was not offered by host > mx1.recipient.com[1.2.3.4] > Sep 18 10:36:29 Untrusted TLS connection established to > mx2.recipient.com[5.4.3.2]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > > smtp_delivery_status_filter was in place for above temp error, but it > was not mapped to permanent error (which makes sense to me. This is because "smtp_delivery_status_filter" applies to the *final* status of a recipient once all the applicable MX hosts have been tried: http://www.postfix.org/postconf.5.html#default_delivery_status_filter Note: the (smtp|lmtp)_delivery_status_filter is applied only once per recipient: when delivery is successful, when delivery is rejected with 5XX, or when there are no more alternate MX or A destinations. Use smtp_reply_filter or lmtp_reply_filter to inspect responses for all delivery attempts. -- Viktor.
