On Thu, 2025-01-16 at 08:33 -0500, Wietse Venema via Postfix-users wrote: > Tobi via Postfix-users: > > Hi list > > > > we have an issue with mail delivery. We use tlspol to tell postfix > > if > > mta-sts or DANE should be used for a recipient domain. Now we have > > the > > case that a rcpt domain has 3 MX records. The first one with prio 0 > > has > > **no** TLSA records but the other two (prio 10 and 20) have proper > > TLSA > > records. The zone itself is properly DNSSec signed. tlspol returns > > dane-only to postfix in that case. Now it seems that postfix only > > tries > > the first MX, sees that there is no TLSA and defers the message. > > Should postfix in such cases not try the next MX as well? Is that > > the > > intended behaviour? I somehow would have expected that postfix > > handles > > this like a temp failure of a MX and therefore try the next one. > > That would be unexpected. I'm implementing support for REQUIRETLS > (RFC 8689) and that code is supposed to try multiple MXes before it > gives up. > > Have you perhaps configured smtp_mx_session_limit=1 ? > > postconf smtp_mx_session_limit postconf smtp_mx_session_limit smtp_mx_session_limit = 2 > postconf -P '*/*/smtp_mx_session_limit' postconf -P '*/*/smtp_mx_session_limit' postconf: warning: unmatched request: "*/*/smtp_mx_session_limit" > > (same question for smtp_mx_address_limit=1). postconf smtp_mx_address_limit smtp_mx_address_limit = 5 > > Wietse > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
