Greetings, Viktor Dukhovni! > On Thu, Nov 29, 2018 at 02:59:35AM +0300, Andrey Repin wrote:
>> The premise is this: >> 1. All delivery should be handled directly, but... > # > relayhost = That's not directly, that's "through relay". >> 2. Some of our clients are rejecting mail using particularly idiotic RBL, >> however... > Are the rejects 4XX or 5XX? 220-relay6.hosting.reg.ru ESMTP Postfix 521 5.7.1 Service unavailable; client [213.134.200.30] blocked using b.barracudacentral.org >> 3. I have a relay server that usually works ok, although slower, but... > You really should be more precise here. Is the relay server doing STARTTLS > (on either port 25 or 587) or implicit TLS (port 465)? >> 4. Relay server requires TLS and authentication. > What flavour of TLS? STARTTLS (TLS after SMTP) or implicit TLS > (SMTP after TLS)? TLS as in - explicit TLS (port 465). >> Now, I've successfully configured dumb relayhost= with TLS and auth. >> But I'm failing to mate it with either relay_transport= or >> smtp_fallback_relay= > If the failures are confined to a mostly stable set of domains and are > not infrequent, then you want to always route these domains to the > relay via: > transport: > example.com tlsrelay:[relayhost.example]:587 > example.org tlsrelay:[relayhost.example]:587 > example.net tlsrelay:[relayhost.example]:587 > ... > master.cf: > # > ========================================================================== > # service type private unpriv chroot wakeup maxproc command + args > # (yes) (yes) (no) (never) (100) > # > ========================================================================== > tlsrelay unix - - n - - smtp > -o smtp_tls_CApath=$tlsrelay_CApath > -o smtp_tls_CAfile=$tlsrelay_CAfile > ... Hm. I was near that solution, but you are right that it is only applicable to a known set of domains. >> It either not using fallback relay, complain that it requires >> wrappermode=yes, >> or says that there were timeout waiting for server greeting. > If the set of problem destinations is dynamic, or the failure sporadic, > and a direct attempt makes sense, then: > master.cf: > # > ========================================================================== > # service type private unpriv chroot wakeup maxproc command + args > # (yes) (yes) (no) (never) (100) > # > ========================================================================== > smtp unix - - n - - smtp > -o smtp_fallback_relay=[relayhost.example]:587 Should use 465... Which requires wrappermode=yes. Which subsequently break any direct delivery. -- With best regards, Andrey Repin Thursday, November 29, 2018 4:01:41 Sorry for my terrible english...
