On Thu, Mar 19, 2009 at 01:37:31PM -0400, Cory Coager wrote: > If I'm reading the documentation correctly, when using smtp_tls_policy_maps > for specific domains, if no servers are available
That is no servers offer TLS, or do offer TLS, but with unsatisfactory certificates. > the email will be deferred? Yes. > Is there a way to change this to a permanent failure? No, doing this would be a design error. - When an attackers temporarily disable TLS between you and a remote domain, they should not be able to cause messages to bounce. - When attackers provide false DNS responses for the MX hosts of the target domain, they should not be able to cause messages to bounce. - When an administrator of the remote server screws up disables TLS, messages should not bounce. A secure channel must temp-fail when security cannot be established, otherwise the channel is subject to tampering by untrusted parties. Negative responses must be secured just like positive ones. For example, both DNSCurve and DNSSEC provide cryptographic protection for NXDOMAIN responses. No DNSCurve or DNSSEC client will turn failure to authenticate a response into NXDOMAIN, rather both will return a tempfail status. Incorrect behaviour will not likely be supported any time soon, no matter popular, unless it is the only work-around for a critical inter-operability issue. If you have enforced TLS destinations that consistently tempfail, and you cannot disable TLS, but want to alert senders faster, temporarily install a transport override for the domain: example.com error:5.7.4 Mandatory TLS service unavailable Whether it is wise to continue to enforce TLS for a destination where you expect to TLS service to never be restored is something you have to consider. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majord...@postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.