Greetings, Viktor Dukhovni! >> On Nov 28, 2018, at 9:25 PM, Andrey Repin <anrdae...@yandex.ru> wrote: >> >>> The "smtp_tls_wrapper_mode" setting in Postfix is per-transport >>> (via master.cf overrides), and has no per-destination analogue in >>> the TLS policy table. Nor is this inferred from the port number. >> >>> So yes, you can't have wrapper mode for just the fallback relay. >>> Which means that your relayhost would have to suppor STARTTLS. >> >> It does not, I just double checked with the owner.
> In that case, you'd need to configure stunnel or similar to listen > on a local loopback port and proxy it to port 465 on the remote > host, via an authenticated upstream TLS connection (avoid the legacy > "verify = 2", it is not secure). > With that, your fallback relay can be just cleartext SMTP to a local > port which stunnel will encrypt in transit. You'd need to enable > plaintext auth without TLS, since Postfix won't know about stunnel > doing TLS on the wire. > Another alternative, avoiding stunnel is to forward the mail to > a fallback Postfix instance that then sends everything via the > relay (using wrapper_mode). Yes, I came to the same conclusion. Not the most secure, but probably only working solution without too much overhead. Thanks for your help. -- With best regards, Andrey Repin Thursday, November 29, 2018 5:57:10 Sorry for my terrible english...
