Viktor Dukhovni via Postfix-users:
> Don't configure Postfix to immediately bounce TLS policy failures.
> The default action is to defer the delivery, possibly after trying
> another MX host:
>
> $ git grep -B2 -A1 'TLS is required, but was not offered' -- src/smtp
> src/smtp/smtp_proto.c- return (smtp_site_fail(state,
> DSN_BY_LOCAL_MTA,
> src/smtp/smtp_proto.c-
> SMTP_RESP_FAKE(&fake, "4.7.4"),
> src/smtp/smtp_proto.c: "TLS is required, but was not
> offered by host %s",
> src/smtp/smtp_proto.c- session->namaddr));
smtp_delivery_status_filter DOES NOT immediately bounce TLS policy failures.
It will do so only for the 'final' MX host, after it has tried other MXes.
This feature was added when someone from Germany (surprise) requested
a hard bounce for mandatory TLS, and they suggestes to fail delivery
immediately, an idea that I rejected.
Implementation detail: the upgrade from soft to hard TLS error happens
in the code path for the 'final' MX host.
Wietse
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
