Issues delivering mail from GMX to my postfix
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu May 19 20:05:17 CEST 2016
On Thu, May 19, 2016 at 07:26:46PM +0200, Carsten Strotmann (sys4) wrote:
> My 2nd MX (smtp3.strotmann.de) is a plain postfix on Debian doing
> STARTTLS and having DANE TLSA. If the first MX does not offer STARTTLS,
> shouldn't a sender try the 2nd MX (TLSA authenticated) mail-destination
> in case the first fails because of missing STARTTLS?
It definitely should. DANE clients should not impose a single
point of failure at the primary MX host.
However, your primary MX host has both an IPv4 and an IPv6 address,
and if GMX is using Postfix as their outbound, perhaps they've set
http://www.postfix.org/postconf.5.html#smtp_mx_address_limit
to 2? This would preclude ever connecting to your backup MX.
Failure to complete TLS handshakes does not count against the
http://www.postfix.org/postconf.5.html#smtp_mx_session_limit
However, the above is a rather improbable wild guess, no idea why
they don't try the backup.
> I scanned RFC 7672, but couldn't find this case mentioned.
Section 2.2:
A "secure" TLSA RRset with at least one usable record: Any
connection to the MTA MUST employ TLS encryption and MUST
authenticate the SMTP server using the techniques discussed in the
rest of this document. Failure to establish an authenticated TLS
connection MUST result in falling back to the next SMTP server or
delayed delivery.
I think you know some the GMX staff in person. In which case,
reach out to them, they may be able to look into what the problem
looks like on their end. If you don't, drop me a note, and I'll
forward the contact info I have. They should be interested in
ironing out any implementation limitations on their end.
--
Viktor.
More information about the dane-users
mailing list