Thanks VIktor, this verifies my suspicions. I'm using the protocol mismatch to forcibly trigger a TLS handshake failure because I was too lazy to pick an invalid cipher. Is there any value making this check optional with the use of a configuration parameter, to specify the expected minimum timeout (0 to disable the timeout check)? If so I can send a patch for that.
Nik -----Original Message----- From: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] On Behalf Of Viktor Dukhovni Sent: 23 June 2017 01:06 To: postfix-users@postfix.org Subject: Re: Message not retransmitted immediately after opportunistic TLS handshake failure On Thu, Jun 22, 2017 at 06:14:08PM +0000, Nik Kostaras wrote: > In one of my tests I'm configuring Postfix client (smtp) to use > opportunistic TLS with TLSv1.2 protocol only Don't do that. See RFC7435. Raising the floor on acceptable cryptographic parameters often lowers security. Instead raise the ceiling allowing the peers to negotiate stronger algorithms. > As expected the TLS handshake fails, but Postfix moves the message to > deferred queue rather than retrying immediately in plaintext. This avoids needless downgrade to cleartext when there's a transient glitch during the TLS handshake. > What is the reason of the timeout between the incoming_arrival and > active_arrival (var_min_backoff_time) of a message, before the message > is allowed to be immediately retransmitted? Some MTAs (say Sendmail) don't downgrade to cleartext at all when the peer purports to support STARTTLS. Postfix gives the remote MTA another chance to complete a TLS hanshake by deferring the attempted delivery. Not all STARTTLS failures are the result of persistent incompatibility. -- Viktor. ---------------------------------------------------------------------------------------------- Message Processed by the Clearswift V4 Engineering Dogfood Secure Email Gateway This e-mail and any files transmitted with it are strictly confidential, may be privileged and are intended only for use by the addressee unless otherwise indicated. If you are not the intended recipient any use, dissemination, printing or copying is strictly prohibited and may be unlawful. If you have received this e-mail in error, please delete it immediately and contact the sender as soon as possible. Clearswift cannot be held liable for delays in receipt of an email or any errors in its content. Clearswift accepts no responsibility once an e-mail and any attachments leave us. Unless expressly stated, opinions in this message are those of the individual sender and not of Clearswift. This email message has been inspected by Clearswift for inappropriate content and security threats. To find out more about Clearswift’s solutions please visit www.clearswift.com
