Paul van der Vlis via Postfix-users: > Hello, Mogge.
> Here in the Netherlands, we have several providers that claim email only > runs via encrypted connections. Like https://soverin.com/ . > > Connections to and from other mail servers that do not accept secure > encryption, are rejected. https://soverin.com/product/technical-specs lists among others: * worldwide 100% correct SMTP, DANE, TLSA * Fully compliant (and more) with all email protocols and standards like GDPR, AVG, SPF, DANE, TLSA, TLS, BIMI, SRS, SSL, DNSSEC [there is more, such as 'no queuing', but no mention of MTA-STS] On the client side, this may be a candidate for Postfix 3.11: smtp_requiretls_policy = inline:{{nl = enforce}}, opportunistic Your Postfix SMTP server cannot force a client to securely authenticate the server's TLS certificate. > I would like that myself, but I wonder what happens if a connection > cannot be established. I would like such a message to be returned to the > sender immediately, rather than getting stuck in the queue. With the 'enforce' above, the Postfix SMTP client will try multiple MX hosts before it returns the message as undeliverable because no MX host supports "strongly authenticated TLS". Your Postfix SMTP server cannot force a client to immediately return a message to the sender. Wietse _______________________________________________ Postfix-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
