nights later, a better approach seems to have a policy service that does the tls pre-checking.
Something like this already around? ( i'm no coder but want to sponsor that if someone can do it) pm please Am Donnerstag, 20. Dezember 2018 schrieb Viktor Dukhovni < postfix-us...@dukhovni.org>: >> On Dec 20, 2018, at 1:25 PM, Stefan Bauer <cubew...@googlemail.com> wrote: >> >> I'm aware of such exceptions but I don't like to set them. Our policy is safe or not at all via mail. > > That policy has a cost. You don't like the cost, but there it is... > >> I would like to have a setting like do not try next mx, >> if first mx lacks tls support. it assumes that if tls is >> not avail on primary it will for sure also not be avail >> on second and third. > > Sorry, Postfix does not and will not do that. Data-mine your logs > for deliveries that fall back to a dead MX host (connection failure > and a large "c" value (>= smtp_connect_timeout) in the "delays=a/b/c/d" > part of the log entry, e.g. > > delays=263861/0.01/60/0, dsn=4.4.1, status=deferred > (connect to <guilty-party>: Operation timed out) > > Then, if you refuse to ever deliver in the clear, reject mail to > the domain. > > transport: > example.com error:5.1.2:Destination domain does not support STARTTLS > > -- > -- > Viktor. >