On Wed, Jun 24, 2015 at 02:06:43PM -0700, Carl Byington wrote: > > Does Exim (immediately or delayed) retry that connection and > (temporarily or permanently) ignore the offer of STARTTLS? Does anyone > know the behavior of Postfix or other software in this circumstance? >
OpenSMTPD falls back to plaintext unless it was told that relaying has to take place over TLS, in which case no fallback happens. There are two rationales behind this: - in case of opportunistic TLS, if the remote host had not offered TLS then the local host would have used plaintext anyways, so since this is just best effort we should at least try without it. - in case of opportunistic TLS, it would be hard to explain that there is a failure preventing mail to be routed ... when another client is succeeding at that by simply not using a feature... that was used as a best effort to start with. > What is the "correct" behavior in this case? The recipient is offering > an encrypted channel that we cannot (well, will not) use. If everyone > backs off and sends plain text, the recipient will never realize that > they should upgrade their DH parameters. We can easily write a script to > tail the log files and automatically add "Try_TLS:server NO" entries to > /etc/mail/access. But should we? > IMO the correct behavior for sender is to fallback. The duty of the sender is to bring a message closer to destination and do its best not to lose the message. If it starts failing sessions that it could succeed just so that other hosts realize that they need a fix in their setup, this feels like the beginning of an already lost battle :-p -- Gilles Chehade https://www.poolp.org @poolpOrg _______________________________________________ mailop mailing list [email protected] http://chilli.nosignal.org/mailman/listinfo/mailop
