> 
> On 22. Feb 2020, at 21:27, Søren Aurehøj <so...@fab-it.dk> wrote:
> 
> Hi Archange
> 
> Thank you for your reply, I will answer inline.
> 
> 
>> Den 22. feb. 2020 kl. 20.01 skrev Archange <archa...@activis.me>:
>> 
>> Hi,
>> 
>> Le 22/02/2020 à 19:55, Søren Aurehøj a écrit :
>>> Hi Misc
>>> 
>>> I am using OpenSMTPD 6.6.0 on OpenBSD 6.6 stable
>>> 
>>> Currently I’m using the tls-require option in order to get mandatory TLS on 
>>> outgoing mail, but with that follows the normal time-out values regarding 
>>> bounce intervals.
>>> Because of greylisting, I’m not sure that adjusting these time-out values 
>>> is the best way around this problem.
>> I’m not sure how greylisting is involved here. Can you elaborate?
>> 
> I was lowering bounce warn-interval as an interim measure to speed up 
> non-deliveries due to missing TLS - that could collide with greylisting 
> intervals if lowered the warn-interval to much.
> 
>>> I have tested the scenario with a mailserver which is unable to use TLS, by 
>>> sending mail to mailnesia.com. 
>>> This gives the expected result - "mta event=error reason=TLS required but 
>>> not supported by remote host” in the maillog.
>>> 
>>> My mailserver recognizes when it is unable to continue the delivery due to 
>>> a configuration setting on my mailserver. 
>>> But instead of bouncing the mail immediately, it is queued anyway for later 
>>> delivery.
>>> 
>>> Is it possible to enforce outgoing mail to always use TLS - and bounce more 
>>> or less immediately, 
>>> if the sending mailserver registers that the receiving mailserver is unable 
>>> to meet our requirements regarding TLS?
>> I don’t know, but it seems a bad idea: what about a transient failure? The 
>> mail systems expect you to keep retrying to deliver for some time. They are 
>> several reasons that could lead to your email being temporarily rejected 
>> because your MTA was unable to establish a correct TLS session, but still 
>> succeed some time after that.
>> 
> That’s a risk I am ready to accept - sending with TLS is mandatory according 
> to our data protection officer, citing GDPR and the sensitivity of the emails 
> sent.

Shouldn’t you rather use E2E then?

Niels

Reply via email to