Hello,
I have following configuration applied:
admin@flopster ~ $ sudo postconf | grep ^smtp_tls
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_block_early_mail_reply = no
smtp_tls_cert_file = /etc/ssl/domains/flopster.at.encryp.ch/fullchain
smtp_tls_chain_files =
smtp_tls_ciphers = medium
smtp_tls_connection_reuse = no
smtp_tls_dane_insecure_mx_policy = ${{$smtp_tls_security_level} == {dane} ?
{dane} : {may}}
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_eccert_file =
smtp_tls_eckey_file = $smtp_tls_eccert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = ${{$compatibility_level} <level {3.6} ? {md5} :
{sha256}}
smtp_tls_force_insecure_host_tlsa_lookup = no
smtp_tls_key_file = /etc/ssl/domains/flopster.at.encryp.ch/key
smtp_tls_loglevel = 0
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = >=TLSv1
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_protocols = >=0x0303
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level = dane
smtp_tls_servername =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_trust_anchor_file =
smtp_tls_verify_cert_match = hostname
smtp_tls_wrappermode = no
However when I am trying to send letters to hosts that do not support TLS (no
DNSSEC and DANE implemented, as well as no certificates configured), postfix
just fails and regrets to retry recipient verification over plaintext
connection:
Aug 15 12:22:18 flopster postfix/cleanup[9839]: 5058916E081A:
message-id=<20230815092218.5058916e0...@flopster.at.encryp.ch>
Aug 15 12:22:18 flopster postfix/qmgr[11478]: 5058916E081A:
from=<address.verif...@at.encryp.ch>, size=316, nrcpt=1 (queue active)
Aug 15 12:22:21 flopster postfix/smtp[9437]: 5058916E081A: Cannot start TLS:
handshake failure
Aug 15 12:22:23 flopster postfix/smtp[9437]: 5058916E081A: to=<l...@east.ru>,
relay=mail.east.ru[195.170.62.138]:25, delay=5.1, delays=0.01/0/5.1/0, dsn=4.7.5,
status=undeliverable (Cannot start TLS: handshake failure)
Aug 15 12:22:23 flopster postfix/qmgr[11478]: 5058916E081A: removed
If necessary, there is my address_verify settings:
admin@flopster ~ $ sudo postconf | grep ^address_verify
address_verify_cache_cleanup_interval = 12h
address_verify_default_transport = $default_transport
address_verify_local_transport = $local_transport
address_verify_map = btree:$data_directory/verify_cache
address_verify_negative_cache = yes
address_verify_negative_expire_time = 3d
address_verify_negative_refresh_time = 5m
address_verify_pending_request_limit = 5000
address_verify_poll_count = ${stress?{1}:{3}}
address_verify_poll_delay = 3s
address_verify_positive_expire_time = 31d
address_verify_positive_refresh_time = 7d
address_verify_relay_transport = $relay_transport
address_verify_relayhost = $relayhost
address_verify_sender = address.verif...@at.encryp.ch
address_verify_sender_dependent_default_transport_maps =
$sender_dependent_default_transport_maps
address_verify_sender_dependent_relayhost_maps =
$sender_dependent_relayhost_maps
address_verify_sender_ttl = 0s
address_verify_service_name = verify
address_verify_transport_maps = $transport_maps
address_verify_virtual_transport = $virtual_transport
Please help me to troubleshoot this issue. Thanks in advance!
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
