I'm aware of this exeptions but i dont like to set them. our policy is safe
or not at all via mail.
i would like to have a setting like do not try next mx, if first mx lacks
tls support. it assumes that if tls is not avail on primary it will for
sure also not be avail on second and third.
Am Donnerstag, 20. Dezember 2018 schrieb Viktor Dukhovni <
postfix-us...@dukhovni.org>:
>> On Dec 20, 2018, at 12:42 PM, Stefan Bauer <cubew...@googlemail.com>
wrote:
>>
>> I use smtp_tls_security_level = encrypt
>
> The cost of that choice is that you must also have:
>
> main.cf:
> indexed = ${default_database_type}:${config_directory}/
> smtp_tls_policy_maps = ${indexed}tls-policy
>
> and be prepared to watch your logs and add manual exceptions:
>
> tls-policy:
> # Non-mandatory TLS for domains that don't (yet?) have
> # working STARTTLS. Perhaps "none" rather than "may" in
> # some cases.
> #
> example.net may
> ...
>
> --
> Viktor.
>
>
