DevHeads.net

postfix does not bounce instantly when remote party does not offer TLS

Hi,

delays=422/0.03/0.09/0, dsn=4.7.4, status=deferred (TLS is required, but
was not offered by host

seems to me like a permanent error - postfix sees it as a temporary one. I
would like to have instant bounce message for this case when TLS is not
available.

sending postfix is configured 'encrypted' os no fallback is wanted.

Comments

Re: postfix does not bounce instantly when remote party does not

By Herbert J. Skuhra at 09/09/2018 - 11:59

On Sun, Sep 09, 2018 at 06:49:07PM +0200, Stefan Bauer wrote:
<a href="http://www.postfix.org/postconf.5.html#plaintext_reject_code" title="http://www.postfix.org/postconf.5.html#plaintext_reject_code">http://www.postfix.org/postconf.5.html#plaintext_reject_code</a>

?

Re: postfix does not bounce instantly when remote party does not

By Stefan Bauer at 09/09/2018 - 12:06

seems to only work when postfix is server. I need this for postfix as
client when remote site is not offering tls.

Am So., 9. Sep. 2018 um 18:59 Uhr schrieb Herbert J. Skuhra <
... at gojira dot at>:

Re: postfix does not bounce instantly when remote party does not

By Viktor Dukhovni at 09/09/2018 - 11:57

This type of error is often fixed within the queue lifetime of a message.
If TLS was working for a destination, and was misconfigured down, the
miscreant administrator should notice and bring it back.

If you're requiring TLS support from strangers who might never have
offered TLS, and expect delivery or an immediate bounce, we don't
yet support that.

Re: postfix does not bounce instantly when remote party does not

By Stefan Bauer at 09/09/2018 - 12:01

any way to inform my users about TLS fails via bounce without waiting queue
lifetime?

Am So., 9. Sep. 2018 um 18:58 Uhr schrieb Viktor Dukhovni <
postfix- ... at dukhovni dot org>:

Re: postfix does not bounce instantly when remote party does not

By Viktor Dukhovni at 09/09/2018 - 12:27

<a href="http://www.postfix.org/postconf.5.html#delay_warning_time" title="http://www.postfix.org/postconf.5.html#delay_warning_time">http://www.postfix.org/postconf.5.html#delay_warning_time</a>

In corporate systems I tend to split the mail plant into separate inbound
and outbound systems, and only enable delay warnings on the outbound side.

Re: postfix does not bounce instantly when remote party does not

By Stefan Bauer at 09/10/2018 - 06:50

Our quick and dirty approach is to parse output of mailq, delete mail and
construct a bounce message, but that is far away from a clean solution ;/
No other way available?

Am So., 9. Sep. 2018 um 19:27 Uhr schrieb Viktor Dukhovni <
postfix- ... at dukhovni dot org>:

Re: postfix does not bounce instantly when remote party does not

By Wietse Venema at 09/10/2018 - 18:17

Stefan Bauer:
Yes, see <a href="http://www.postfix.org/postconf.5.html#default_delivery_status_filter" title="http://www.postfix.org/postconf.5.html#default_delivery_status_filter">http://www.postfix.org/postconf.5.html#default_delivery_status_filter</a>

The primary use case was a German user who wanted to fail immediately
if it could not be delivered over TLS.

Wietse

Re: postfix does not bounce instantly when remote party does not

By Wietse Venema at 09/10/2018 - 11:06

Viktor Dukhovni:
What about this?

Example 1: convert specific soft TLS errors into hard errors, by over-
riding the first number in the enhanced status code.

/etc/postfix/main.cf:
smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter

/etc/postfix/smtp_dsn_filter:
/^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
5$1
/^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
5$1
# Do not change the following into hard bounces. They may
# result from a local configuration problem.
# 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
# 4.\d+.\d+ TLS is required, but unavailable
# 4.\d+.\d+ Cannot start TLS: handshake failure

Re: postfix does not bounce instantly when remote party does not

By Viktor Dukhovni at 09/10/2018 - 11:27

A bit tricky to match exactly the right conditions, but plausible.
I did not remember whether one could override tempfails to hardfails,
so I did not suggest this approach...

Re: postfix does not bounce instantly when remote party does not

By Wietse Venema at 09/10/2018 - 11:35

Viktor Dukhovni:
This can change soft<->hard failures, but it can't change
success<->failure.

This should be sufficient to handle the case that the server does
not announce TLS. It does no cover features that do not yet exist.

Wietse

Re: postfix does not bounce instantly when remote party does not

By Stefan Bauer at 09/09/2018 - 12:30

our system is only outbound but here when TLS fails so remote sites, we
would be happy to have an option to instantly bounce as this is mostly a
fixed state.

Am So., 9. Sep. 2018 um 19:27 Uhr schrieb Viktor Dukhovni <
postfix- ... at dukhovni dot org>: