On Wed, Aug 20, 2025 at 11:15:59AM +0200, Florian Piekert via Postfix-users
wrote:
> I know that there are certain consequences of using
> smtp_tls_security_level = encrypt
Postfix will by default defer (and NOT bounce) messages when a remote
server fails to meet the TLS security expectations. A bounce will
*only* happen once a message has exceeded the maximum queue lifetime.
> However, is there a way to (temporarily) "suspend" a mail that would
> bounce if the target MX server(s) do not offer TLS?
This is default built-in behaviour, you don't need to do anything.
> Logically, the mail is then already gone for good due to the
> dsn=5.7.4, status=bounced (TLS is required, but was not offered by
> host... error.
Don't configure Postfix to immediately bounce TLS policy failures.
The default action is to defer the delivery, possibly after trying
another MX host:
$ git grep -B2 -A1 'TLS is required, but was not offered' -- src/smtp
src/smtp/smtp_proto.c- return (smtp_site_fail(state,
DSN_BY_LOCAL_MTA,
src/smtp/smtp_proto.c-
SMTP_RESP_FAKE(&fake, "4.7.4"),
src/smtp/smtp_proto.c: "TLS is required, but was not
offered by host %s",
src/smtp/smtp_proto.c- session->namaddr));
> So I ask myself if there is a (simple?) possibility of suspending such
> mail prior deletion from the qmgr and after having added to the
> tls_routing_maps file to "mailq -q" (or with queue ID, whatever)?
You must have adopted the non-default configuration below, which you now
regret:
$ git grep -B16 -A8 'TLS is required, but was not offered' -- proto/
proto/postconf.proto-
proto/postconf.proto-<p> Example 1: convert specific soft TLS errors into
hard errors,
proto/postconf.proto-by overriding the first number in the enhanced status
code. </p>
proto/postconf.proto-
proto/postconf.proto-<blockquote>
proto/postconf.proto-<pre>
proto/postconf.proto-/etc/postfix/main.cf:
proto/postconf.proto- smtp_delivery_status_filter =
pcre:/etc/postfix/smtp_dsn_filter
proto/postconf.proto-</pre>
proto/postconf.proto-</blockquote>
proto/postconf.proto-
proto/postconf.proto-<blockquote>
proto/postconf.proto-<pre>
proto/postconf.proto-/etc/postfix/smtp_dsn_filter:
proto/postconf.proto- /^4(\.\d+\.\d+ TLS is required, but host \S+
refused to start TLS: .+)/
proto/postconf.proto- 5$1
proto/postconf.proto: /^4(\.\d+\.\d+ TLS is required, but was not
offered by host .+)/
proto/postconf.proto- 5$1
proto/postconf.proto- # Do not change the following into hard bounces.
They may
proto/postconf.proto- # result from a local configuration problem.
proto/postconf.proto- # 4.\d+.\d+ TLS is required, but our TLS engine is
unavailable
proto/postconf.proto- # 4.\d+.\d+ TLS is required, but unavailable
proto/postconf.proto- # 4.\d+.\d+ Cannot start TLS: handshake failure
proto/postconf.proto-</pre>
proto/postconf.proto-</blockquote>
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
