Nik Kostaras:
> Jun 22 17:30:26 postfix-outbound/smtp[27125]: 3wtnBB3Jr7z1Q67T:
> to=<t...@icarus.com>, relay=10.44.43.1[10.44.43.1]:25, delay=0.08,
> delays=0.02/0.03/0.03/0, dsn=4.7.5, status=deferred (Cannot start TLS:
> handshake failure)
>
> It reaches
> if (PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE)
> RETRY_AS_PLAINTEXT;
>
> inside smtp_start_tls(), but the condition is false the first time because of
> the "PREACTIVE_DELAY >= var_min_backoff_time" clause of
> PLAINTEXT_FALLBACK_OK_AFTER_STARTTLS_FAILURE.
This is a security workaround for active attackers who aren't smart
enough to remove or modify STARTTLS in the EHLO response, but who
can still tamper with the TLS handshake.
Perhaps Viktor remembers what problem we were trying to solve.
Wietse
