Hello Viktor and list readers,
Viktor, all you write is true.
In march I switched the non-default configuration on. Probably because I
thought it was clever after Wietse and you did some very meaningful discourse
here on the list which sounded like a good idea to me. And which I absolutely
forgot about this. Reverting this should do the trick I am looking for.
Thank you very much.
Florian
Am 20.08.2025 um 11:39 schrieb Viktor Dukhovni via Postfix-users:
On Wed, Aug 20, 2025 at 11:15:59AM +0200, Florian Piekert via Postfix-users
wrote:
I know that there are certain consequences of using
smtp_tls_security_level = encrypt
Postfix will by default defer (and NOT bounce) messages when a remote
server fails to meet the TLS security expectations. A bounce will
*only* happen once a message has exceeded the maximum queue lifetime.
However, is there a way to (temporarily) "suspend" a mail that would
bounce if the target MX server(s) do not offer TLS?
This is default built-in behaviour, you don't need to do anything.
Logically, the mail is then already gone for good due to the
dsn=5.7.4, status=bounced (TLS is required, but was not offered by
host... error.
Don't configure Postfix to immediately bounce TLS policy failures.
The default action is to defer the delivery, possibly after trying
another MX host:
$ git grep -B2 -A1 'TLS is required, but was not offered' -- src/smtp
src/smtp/smtp_proto.c- return (smtp_site_fail(state,
DSN_BY_LOCAL_MTA,
src/smtp/smtp_proto.c- SMTP_RESP_FAKE(&fake,
"4.7.4"),
src/smtp/smtp_proto.c: "TLS is required, but was not offered
by host %s",
src/smtp/smtp_proto.c- session->namaddr));
So I ask myself if there is a (simple?) possibility of suspending such
mail prior deletion from the qmgr and after having added to the
tls_routing_maps file to "mailq -q" (or with queue ID, whatever)?
You must have adopted the non-default configuration below, which you now
regret:
$ git grep -B16 -A8 'TLS is required, but was not offered' -- proto/
proto/postconf.proto-
proto/postconf.proto-<p> Example 1: convert specific soft TLS errors into
hard errors,
proto/postconf.proto-by overriding the first number in the enhanced status code.
</p>
proto/postconf.proto-
proto/postconf.proto-<blockquote>
proto/postconf.proto-<pre>
proto/postconf.proto-/etc/postfix/main.cf:
proto/postconf.proto- smtp_delivery_status_filter =
pcre:/etc/postfix/smtp_dsn_filter
proto/postconf.proto-</pre>
proto/postconf.proto-</blockquote>
proto/postconf.proto-
proto/postconf.proto-<blockquote>
proto/postconf.proto-<pre>
proto/postconf.proto-/etc/postfix/smtp_dsn_filter:
proto/postconf.proto- /^4(\.\d+\.\d+ TLS is required, but host \S+
refused to start TLS: .+)/
proto/postconf.proto- 5$1
proto/postconf.proto: /^4(\.\d+\.\d+ TLS is required, but was not
offered by host .+)/
proto/postconf.proto- 5$1
proto/postconf.proto- # Do not change the following into hard bounces.
They may
proto/postconf.proto- # result from a local configuration problem.
proto/postconf.proto- # 4.\d+.\d+ TLS is required, but our TLS engine
is unavailable
proto/postconf.proto- # 4.\d+.\d+ TLS is required, but unavailable
proto/postconf.proto- # 4.\d+.\d+ Cannot start TLS: handshake failure
proto/postconf.proto-</pre>
proto/postconf.proto-</blockquote>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
