On Tue, Aug 15, 2023 at 11:33:08AM -0400, Wietse Venema via Postfix-users wrote:
> With that, the condition evaluates to:
>
> 1: session->tls_context == 0 true
> 2: state->tls->level == TLS_LEV_MAY presumably true
> 3: PREACTIVE_DELAY >= var_min_backoff_time false
> 4: !HAVE_SASL_CREDENTIALS ?
>
> [...]
>
> Condition 3 may need more nuance. The code is OK for non-probe
> messages; it prefers to retry later with TLS, over immediately
> falling back to plaintext. When the later retry also fails in the
> TLS handhake, then Postfix will immediately fall back to plaintext.
>
> However, probes don't retry, so maybe we should skip condition 3
> for probes.
That's my instinct also. Waiting out transient glitches by retrying on
the next delivery attempt is not an option for probes. And probes don't
leak message content in the clear, nor even the full envelope, just a
single sender or recipient.
I am surprised it took this long for the impedance mismatch to get
noticed. We've had TLS retry on next delivery for close to two decades,
and recipient verification for a similar timeframe.
So it seems that legitimate domains (from which one actually cares to
receive mail) with persistently broken STARTTTLS rarely send mail to
Postfix sites with sender verification enabled.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
