On Thu, Jun 22, 2017 at 06:14:08PM +0000, Nik Kostaras wrote:
> In one of my tests I'm configuring Postfix client (smtp) to use
> opportunistic TLS with TLSv1.2 protocol only
Don't do that. See RFC7435. Raising the floor on acceptable
cryptographic parameters often lowers security. Instead raise the
ceiling allowing the peers to negotiate stronger algorithms.
> As expected the TLS handshake fails, but Postfix moves the message to
> deferred queue rather than retrying immediately in plaintext.
This avoids needless downgrade to cleartext when there's a transient
glitch during the TLS handshake.
> What is the reason of the timeout between the incoming_arrival and
> active_arrival (var_min_backoff_time) of a message, before the message is
> allowed to be immediately retransmitted?
Some MTAs (say Sendmail) don't downgrade to cleartext at all when
the peer purports to support STARTTLS. Postfix gives the remote
MTA another chance to complete a TLS hanshake by deferring the
attempted delivery. Not all STARTTLS failures are the result of
persistent incompatibility.
--
Viktor.
