> On Dec 20, 2018, at 1:25 PM, Stefan Bauer <cubew...@googlemail.com> wrote:
>
> I'm aware of such exceptions but I don't like to set them. Our policy is
> safe or not at all via mail.
That policy has a cost. You don't like the cost, but there it is...
> I would like to have a setting like do not try next mx,
> if first mx lacks tls support. it assumes that if tls is
> not avail on primary it will for sure also not be avail
> on second and third.
Sorry, Postfix does not and will not do that. Data-mine your logs
for deliveries that fall back to a dead MX host (connection failure
and a large "c" value (>= smtp_connect_timeout) in the "delays=a/b/c/d"
part of the log entry, e.g.
delays=263861/0.01/60/0, dsn=4.4.1, status=deferred
(connect to <guilty-party>: Operation timed out)
Then, if you refuse to ever deliver in the clear, reject mail to
the domain.
transport:
example.com error:5.1.2:Destination domain does not support STARTTLS
--
--
Viktor.
