Am 22.12.18 um 07:55 schrieb Stefan Bauer:
nights later, a better approach seems to have a policy service that does the tls pre-checking.


long time ago i wrote this

https://blog.sys4.de/recipient-verification-tls-mandatory-modus-en.html

perhaps it helps


Something like this already around? ( i'm no coder but want to sponsor that if someone can do it) pm please

Am Donnerstag, 20. Dezember 2018 schrieb Viktor Dukhovni <postfix-us...@dukhovni.org <mailto:postfix-us...@dukhovni.org>>: >> On Dec 20, 2018, at 1:25 PM, Stefan Bauer <cubew...@googlemail.com <mailto:cubew...@googlemail.com>> wrote:
 >>
>> I'm aware of such exceptions but I don't like to set them.  Our policy is safe or not at all via mail.
 >
 > That policy has a cost.  You don't like the cost, but there it is...
 >
 >> I would like to have a setting like do not try next mx,
 >> if first mx lacks tls support. it assumes that if tls is
 >> not avail on primary it will for sure also not be avail
 >> on second and third.
 >
 > Sorry, Postfix does not and will not do that.  Data-mine your logs
 > for deliveries that fall back to a dead MX host (connection failure
 > and a large "c" value (>= smtp_connect_timeout) in the "delays=a/b/c/d"
 > part of the log entry, e.g.
 >
 >   delays=263861/0.01/60/0, dsn=4.4.1, status=deferred
 >     (connect to <guilty-party>: Operation timed out)
 >
 > Then, if you refuse to ever deliver in the clear, reject mail to
 > the domain.
 >
 >   transport:
> example.com <http://example.com> error:5.1.2:Destination domain does not support STARTTLS
 >
 > --
 > --
 >         Viktor.
 >


--
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein

Reply via email to