> > On 22. Feb 2020, at 21:27, Søren Aurehøj <[email protected]> wrote: > > Hi Archange > > Thank you for your reply, I will answer inline. > > >> Den 22. feb. 2020 kl. 20.01 skrev Archange <[email protected]>: >> >> Hi, >> >> Le 22/02/2020 à 19:55, Søren Aurehøj a écrit : >>> Hi Misc >>> >>> I am using OpenSMTPD 6.6.0 on OpenBSD 6.6 stable >>> >>> Currently I’m using the tls-require option in order to get mandatory TLS on >>> outgoing mail, but with that follows the normal time-out values regarding >>> bounce intervals. >>> Because of greylisting, I’m not sure that adjusting these time-out values >>> is the best way around this problem. >> I’m not sure how greylisting is involved here. Can you elaborate? >> > I was lowering bounce warn-interval as an interim measure to speed up > non-deliveries due to missing TLS - that could collide with greylisting > intervals if lowered the warn-interval to much. > >>> I have tested the scenario with a mailserver which is unable to use TLS, by >>> sending mail to mailnesia.com. >>> This gives the expected result - "mta event=error reason=TLS required but >>> not supported by remote host” in the maillog. >>> >>> My mailserver recognizes when it is unable to continue the delivery due to >>> a configuration setting on my mailserver. >>> But instead of bouncing the mail immediately, it is queued anyway for later >>> delivery. >>> >>> Is it possible to enforce outgoing mail to always use TLS - and bounce more >>> or less immediately, >>> if the sending mailserver registers that the receiving mailserver is unable >>> to meet our requirements regarding TLS? >> I don’t know, but it seems a bad idea: what about a transient failure? The >> mail systems expect you to keep retrying to deliver for some time. They are >> several reasons that could lead to your email being temporarily rejected >> because your MTA was unable to establish a correct TLS session, but still >> succeed some time after that. >> > That’s a risk I am ready to accept - sending with TLS is mandatory according > to our data protection officer, citing GDPR and the sensitivity of the emails > sent.
Shouldn’t you rather use E2E then? Niels
