> On Nov 28, 2018, at 9:25 PM, Andrey Repin <anrdae...@yandex.ru> wrote:
>
>> The "smtp_tls_wrapper_mode" setting in Postfix is per-transport
>> (via master.cf overrides), and has no per-destination analogue in
>> the TLS policy table. Nor is this inferred from the port number.
>
>> So yes, you can't have wrapper mode for just the fallback relay.
>> Which means that your relayhost would have to suppor STARTTLS.
>
> It does not, I just double checked with the owner.
In that case, you'd need to configure stunnel or similar to listen
on a local loopback port and proxy it to port 465 on the remote
host, via an authenticated upstream TLS connection (avoid the legacy
"verify = 2", it is not secure).
With that, your fallback relay can be just cleartext SMTP to a local
port which stunnel will encrypt in transit. You'd need to enable
plaintext auth without TLS, since Postfix won't know about stunnel
doing TLS on the wire.
Another alternative, avoiding stunnel is to forward the mail to
a fallback Postfix instance that then sends everything via the
relay (using wrapper_mode).
--
Viktor.
