Am 22.12.18 um 07:55 schrieb Stefan Bauer:
nights later, a better approach seems to have a policy service that does
the tls pre-checking.
long time ago i wrote this
https://blog.sys4.de/recipient-verification-tls-mandatory-modus-en.html
perhaps it helps
Something like this already around? ( i'm no coder but want to sponsor
that if someone can do it) pm please
Am Donnerstag, 20. Dezember 2018 schrieb Viktor Dukhovni
<postfix-us...@dukhovni.org <mailto:postfix-us...@dukhovni.org>>:
>> On Dec 20, 2018, at 1:25 PM, Stefan Bauer <cubew...@googlemail.com
<mailto:cubew...@googlemail.com>> wrote:
>>
>> I'm aware of such exceptions but I don't like to set them. Our
policy is safe or not at all via mail.
>
> That policy has a cost. You don't like the cost, but there it is...
>
>> I would like to have a setting like do not try next mx,
>> if first mx lacks tls support. it assumes that if tls is
>> not avail on primary it will for sure also not be avail
>> on second and third.
>
> Sorry, Postfix does not and will not do that. Data-mine your logs
> for deliveries that fall back to a dead MX host (connection failure
> and a large "c" value (>= smtp_connect_timeout) in the "delays=a/b/c/d"
> part of the log entry, e.g.
>
> delays=263861/0.01/60/0, dsn=4.4.1, status=deferred
> (connect to <guilty-party>: Operation timed out)
>
> Then, if you refuse to ever deliver in the clear, reject mail to
> the domain.
>
> transport:
> example.com <http://example.com> error:5.1.2:Destination domain does
not support STARTTLS
>
> --
> --
> Viktor.
>
--
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein