Issues delivering mail from GMX to my postfix

Viktor Dukhovni ietf-dane at
Thu May 19 20:05:17 CEST 2016

On Thu, May 19, 2016 at 07:26:46PM +0200, Carsten Strotmann (sys4) wrote:

> My 2nd MX ( is a plain postfix on Debian doing
> STARTTLS and having DANE TLSA. If the first MX does not offer STARTTLS,
> shouldn't a sender try the 2nd MX (TLSA authenticated) mail-destination
> in case the first fails because of missing STARTTLS?

It definitely should.  DANE clients should not impose a single
point of failure at the primary MX host.

However, your primary MX host has both an IPv4 and an IPv6 address,
and if GMX is using Postfix as their outbound, perhaps they've set

to 2?  This would preclude ever connecting to your backup MX.
Failure to complete TLS handshakes does not count against the

However, the above is a rather improbable wild guess, no idea why
they don't try the backup.

> I scanned RFC 7672, but couldn't find this case mentioned.

Section 2.2:

    A "secure" TLSA RRset with at least one usable record:  Any
    connection to the MTA MUST employ TLS encryption and MUST
    authenticate the SMTP server using the techniques discussed in the
    rest of this document.  Failure to establish an authenticated TLS
    connection MUST result in falling back to the next SMTP server or
    delayed delivery.

I think you know some the GMX staff in person.  In which case,
reach out to them, they may be able to look into what the problem
looks like on their end.  If you don't, drop me a note, and I'll
forward the contact info I have.  They should be interested in
ironing out any implementation limitations on their end.


More information about the dane-users mailing list