[ $subject would have been more clear had the OP mentioned that he's
talking about address verification probes. ]
On Tue, Aug 15, 2023 at 01:29:14PM +0000, Serg via Postfix-users wrote:
> > admin@flopster ~ $ sudo postconf | grep ^smtp_tls
> > smtp_tls_cert_file = /etc/ssl/domains/flopster.at.encryp.ch/fullchain
> > smtp_tls_key_file = /etc/ssl/domains/flopster.at.encryp.ch/key
Typically, not needed.
> > smtp_tls_loglevel = 0
Level 1 is typically more informative at negligible additional cost.
> > smtp_tls_policy_maps =
Nothing to check there.
> > smtp_tls_protocols = >=0x0303
This is more clear when written as:
smtp_tls_protocols = >=TLSv1.2
Not clear why one would choose to prefer cleartext fallback over TLSv1.
> > smtp_tls_security_level = dane
> > smtp_tls_session_cache_database =
A resumption cache makes repeated deliveries to the same destination
cheaper on both ends.
> However when I am trying to send letters to hosts that do not support
> TLS (no DNSSEC and DANE implemented, as well as no certificates
> configured), postfix just fails and regrets to retry recipient
> verification over plaintext connection:
>
> > Aug 15 12:22:18 flopster postfix/cleanup[9839]: 5058916E081A:
> > message-id=<20230815092218.5058916e0...@flopster.at.encryp.ch>
> > Aug 15 12:22:18 flopster postfix/qmgr[11478]: 5058916E081A:
> > from=<address.verif...@at.encryp.ch>, size=316, nrcpt=1 (queue active)
> > Aug 15 12:22:21 flopster postfix/smtp[9437]: 5058916E081A: Cannot start
> > TLS: handshake failure
> > Aug 15 12:22:23 flopster postfix/smtp[9437]: 5058916E081A:
> > to=<l...@east.ru>, relay=mail.east.ru[195.170.62.138]:25, delay=5.1,
> > delays=0.01/0/5.1/0, dsn=4.7.5, status=undeliverable (Cannot start TLS:
> > handshake failure)
> > Aug 15 12:22:23 flopster postfix/qmgr[11478]: 5058916E081A: removed
Indeed, so long as the TCP connection succeeds, address verification
probes may not queue to retry a cleartext delivery. Queueing probes
for a cleartext retry may expose your queue to greater risk of
congestion. But perhaps it is a risk that one should be prepared to
take when enabling sender or recipient verification.
Wietse likely has more to say on this topic. I haven't looked very
closely at the address verification machinery.
> > admin@flopster ~ $ sudo postconf | grep ^address_verify
No "sudo" necessary, and please report "postconf -n", rather than
"postconf" output.
> > address_verify_negative_refresh_time = 5m
This is perhaps too short. The default is:
address_verify_negative_refresh_time = 3h
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
