Host offered STARTTLS: [mxlb... without relation to destination domain

I like the option smtp_tls_note_starttls_offer = yes
but when a host is logged, it's hard to keep track to which recipient
domain that host belong without doing dns-lookups against all listed in

Can this be improved to maybe also list the appropriate recipient domain?


Re: Host offered STARTTLS: [mxlb... without relation to destinat

By Viktor Dukhovni at 09/09/2018 - 12:03

Well, TLS is by nexthop domain not recipient domain. Typically the
nexthop domain is the recipient domain, but with "relayhost" or
other transport overrides, they need not be the same. So if your
goal is discover which policy got you there, then you want the
nexthop logged.

If you use the script (which may need tweaks to
match the initial boilerplate part of your syslog message format
with the data, hostname, ...) included with the Postfix source
you can see which deliveries correspond to the messages in
question. We could log the nexthop domain in a future release,
this is not an unreasonable request.

Re: Host offered STARTTLS: [mxlb... without relation to destinat

By Stefan Bauer at 09/09/2018 - 12:08

That would be great to have this as part of the log string! Thank you for
considering my request.

Am So., 9. Sep. 2018 um 19:03 Uhr schrieb Viktor Dukhovni <
postfix- ... at dukhovni dot org>:

Re: Host offered STARTTLS: [mxlb... without relation to destinat

By Wietse Venema at 09/09/2018 - 09:51

Stefan Bauer:
This information is logged then the TLS level is set to NONE.

Why not set the default TLS level to 'may' (perhaps with appropriate
default ciphers/protocols/etc) and automatically discover what
recipients can really be delivered over TLS?

The existence of a STARTTLS announcement does not mean that
you will actually be able to interoperate with the server.