Thank you for your response. I assume I have something wrong, or I misunderstood the documentation.
I have tested sending mail to example.com. A "dig example.com MX" gives: example.com. 2546 IN MX 10 smtp1.example.com. example.com. 2546 IN MX 20 smtp2.example.com. example.com. 2546 IN MX 30 smtp3.example.com. I had assumed that having .example.com none in my tls_policy would keep postfix from negotiating TLS with these servers. I will try with smtp_discard_ehlo_keyword_address_maps. Thank you again, JL Hill p.s. in case it is of value, my tls config: smtp_tls_policy_maps = hash:/etc/postfix/tls_policy smtpd_tls_auth_only = no smtpd_tls_security_level = may smtp_tls_security_level = may tls_random_source = dev:/dev/urandom smtpd_tls_received_header = yes smtp_tls_note_starttls_offer = yes smtpd_tls_key_file = /etc/postfix/ssl/host.mydom.com.key smtpd_tls_cert_file = /etc/postfix/ssl/host.mydom.com.crt smtpd_tls_CAfile = /etc/postfix/ssl/gd_bundle.crt smtp_tls_CAfile = /etc/postfix/ssl/gd_bundle.crt smtpd_tls_CApath = /etc/ssl/certs smtp_tls_CApath = /etc/ssl/certs smtp_tls_loglevel = 2 smtpd_tls_loglevel = 2 On Fri, Mar 15, 2013 at 11:28 AM, Viktor Dukhovni < postfix-us...@dukhovni.org> wrote: > On Fri, Mar 15, 2013 at 10:09:17AM -0400, JL Hill wrote: > > > /etc/postfix/tls_policy > > > > example.com none > > .example.com none > > > > From the documentation I read, I thought postfix would not try > negotiating > > TLS with the example.com mail server, but it does. > > > > (I posted this question Mar. 5, but received no response). > > > > Best regards, > > The policy table applies policy to destination domains, not MX > hosts. So what do you mean when you say "with the example.com" > mailserver? If it has a stable IP address, you can use > > smtp_discard_ehlo_keyword_address_maps > > suppress a given host's "STARTTLS" announcement. > > -- > Viktor. >