Hi Ken, i fully agree but I'm asking why the primary MX supports STARTTLS but the backup MX does not in case of Strato.
Strategy should either be full TLS (on all MX) or not at all. The mix is what causes headache and i see no reasons why one would go this path so I'm asking the community :) Stefan -----Ursprüngliche Nachricht----- Von: Ken O'Driscoll via mailop <[email protected]> Gesendet: Mittwoch 13 Februar 2019 10:49 An: [email protected] Betreff: Re: [mailop] Strato Postmaster around? relay.rzone.de does not offer STARTTLS On Wed, 2019-02-13 at 07:31 +0000, Stefan Bauer wrote: > As alot of sites nowadays enforce TLS, this is a showstopper, when the > primary MX is rejecting connections by greylisting, sender tries > second(backup) mx and fails due to missing STARTTLS. If the backup mx > would also use greylisting, the client would come back later to primary > MX and would be able to deliver. Hi Stefan, The vast majority of public MX servers do not enforce TLS, they offer opportunistic TLS whereby TLS is supported if asked for but a plaintext SMTP conversation is still supported. >From RFC 3207: A publicly-referenced SMTP server MUST NOT require use of the STARTTLS extension in order to deliver mail locally. This rule prevents the STARTTLS extension from damaging the interoperability of the Internet's SMTP infrastructure. A publicly-referenced SMTP server is an SMTP server which runs on port 25 of an Internet host listed in the MX record (or A record if an MX record is not present) for the domain name on the right hand side of an Internet mail address. Likewise, if your public MX server required TLS when speaking with other public MX servers, regardless of whether or not they offer it, that is your "showstopper". Ken. _______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
_______________________________________________ mailop mailing list [email protected] https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
