postfix does not bounce instantly when remote party does not offer TLS

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

postfix does not bounce instantly when remote party does not offer TLS

Stefan Bauer-2
Hi,

delays=422/0.03/0.09/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host

seems to me like a permanent error - postfix sees it as a temporary one. I would like to have instant bounce message for this case when TLS is not available.

sending postfix is configured 'encrypted' os no fallback is wanted.
Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Viktor Dukhovni


> On Sep 9, 2018, at 12:49 PM, Stefan Bauer <[hidden email]> wrote:
>
> delays=422/0.03/0.09/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host
>
> seems to me like a permanent error - postfix sees it as a temporary one. I would like to have instant bounce message for this case when TLS is not available.

This type of error is often fixed within the queue lifetime of a message.
If TLS was working for a destination, and was misconfigured down, the
miscreant administrator should notice and bring it back.

If you're requiring TLS support from strangers who might never have
offered TLS, and expect delivery or an immediate bounce, we don't
yet support that.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Herbert J. Skuhra-3
In reply to this post by Stefan Bauer-2
On Sun, Sep 09, 2018 at 06:49:07PM +0200, Stefan Bauer wrote:

> Hi,
>
> delays=422/0.03/0.09/0, dsn=4.7.4, status=deferred (TLS is required, but
> was not offered by host
>
> seems to me like a permanent error - postfix sees it as a temporary one. I
> would like to have instant bounce message for this case when TLS is not
> available.
>
> sending postfix is configured 'encrypted' os no fallback is wanted.

http://www.postfix.org/postconf.5.html#plaintext_reject_code 

?
 
--
Herbert
Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Stefan Bauer-2
In reply to this post by Viktor Dukhovni
any way to inform my users about TLS fails via bounce without waiting queue lifetime?

Am So., 9. Sep. 2018 um 18:58 Uhr schrieb Viktor Dukhovni <[hidden email]>:


> On Sep 9, 2018, at 12:49 PM, Stefan Bauer <[hidden email]> wrote:
>
> delays=422/0.03/0.09/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host
>
> seems to me like a permanent error - postfix sees it as a temporary one. I would like to have instant bounce message for this case when TLS is not available.

This type of error is often fixed within the queue lifetime of a message.
If TLS was working for a destination, and was misconfigured down, the
miscreant administrator should notice and bring it back.

If you're requiring TLS support from strangers who might never have
offered TLS, and expect delivery or an immediate bounce, we don't
yet support that.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Stefan Bauer-2
In reply to this post by Herbert J. Skuhra-3
seems to only work when postfix is server. I need this for postfix as client when remote site is not offering tls.

Am So., 9. Sep. 2018 um 18:59 Uhr schrieb Herbert J. Skuhra <[hidden email]>:
On Sun, Sep 09, 2018 at 06:49:07PM +0200, Stefan Bauer wrote:
> Hi,
>
> delays=422/0.03/0.09/0, dsn=4.7.4, status=deferred (TLS is required, but
> was not offered by host
>
> seems to me like a permanent error - postfix sees it as a temporary one. I
> would like to have instant bounce message for this case when TLS is not
> available.
>
> sending postfix is configured 'encrypted' os no fallback is wanted.

http://www.postfix.org/postconf.5.html#plaintext_reject_code

?

--
Herbert
Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Viktor Dukhovni
In reply to this post by Stefan Bauer-2


> On Sep 9, 2018, at 1:01 PM, Stefan Bauer <[hidden email]> wrote:
>
> any way to inform my users about TLS fails via bounce without waiting queue lifetime?

http://www.postfix.org/postconf.5.html#delay_warning_time

In corporate systems I tend to split the mail plant into separate inbound
and outbound systems, and only enable delay warnings on the outbound side.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Stefan Bauer-2
our system is only outbound but here when TLS fails so remote sites, we would be happy to have an option to instantly bounce as this is mostly a fixed state.

Am So., 9. Sep. 2018 um 19:27 Uhr schrieb Viktor Dukhovni <[hidden email]>:


> On Sep 9, 2018, at 1:01 PM, Stefan Bauer <[hidden email]> wrote:
>
> any way to inform my users about TLS fails via bounce without waiting queue lifetime?

http://www.postfix.org/postconf.5.html#delay_warning_time

In corporate systems I tend to split the mail plant into separate inbound
and outbound systems, and only enable delay warnings on the outbound side.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Stefan Bauer-2
In reply to this post by Viktor Dukhovni
Our quick and dirty approach is to parse output of mailq, delete mail and construct a bounce message, but that is far away from a clean solution ;/
No other way available?


Am So., 9. Sep. 2018 um 19:27 Uhr schrieb Viktor Dukhovni <[hidden email]>:


> On Sep 9, 2018, at 1:01 PM, Stefan Bauer <[hidden email]> wrote:
>
> any way to inform my users about TLS fails via bounce without waiting queue lifetime?

http://www.postfix.org/postconf.5.html#delay_warning_time

In corporate systems I tend to split the mail plant into separate inbound
and outbound systems, and only enable delay warnings on the outbound side.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Viktor Dukhovni


> On Sep 10, 2018, at 7:50 AM, Stefan Bauer <[hidden email]> wrote:
>
> Our quick and dirty approach is to parse output of mailq, delete mail and construct a bounce message, but that is far away from a clean solution ;/
> No other way available?

Not presently.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Wietse Venema
Viktor Dukhovni:
>
>
> > On Sep 10, 2018, at 7:50 AM, Stefan Bauer <[hidden email]> wrote:
> >
> > Our quick and dirty approach is to parse output of mailq, delete mail and construct a bounce message, but that is far away from a clean solution ;/
> > No other way available?
>
> Not presently.

What about this?

   Example  1: convert specific soft TLS errors into hard errors, by over-
   riding the first number in the enhanced status code.

       /etc/postfix/main.cf:
           smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter

       /etc/postfix/smtp_dsn_filter:
           /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
               5$1
           /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
               5$1
           # Do not change the following into hard bounces. They may
           # result from a local configuration problem.
           # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
           # 4.\d+.\d+ TLS is required, but unavailable
           # 4.\d+.\d+ Cannot start TLS: handshake failure

Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Viktor Dukhovni


> On Sep 10, 2018, at 12:06 PM, Wietse Venema <[hidden email]> wrote:
>
> What about this?
>
>   Example  1: convert specific soft TLS errors into hard errors, by over-
>   riding the first number in the enhanced status code.
>
>       /etc/postfix/main.cf:
>   smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
>
>       /etc/postfix/smtp_dsn_filter:
>   /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
>       5$1
>   /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
>       5$1
>   # Do not change the following into hard bounces. They may
>   # result from a local configuration problem.
>   # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
>   # 4.\d+.\d+ TLS is required, but unavailable
>   # 4.\d+.\d+ Cannot start TLS: handshake failure

A bit tricky to match exactly the right conditions, but plausible.
I did not remember whether one could override tempfails to hardfails,
so I did not suggest this approach...

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Wietse Venema
Viktor Dukhovni:

>
>
> > On Sep 10, 2018, at 12:06 PM, Wietse Venema <[hidden email]> wrote:
> >
> > What about this?
> >
> >   Example  1: convert specific soft TLS errors into hard errors, by over-
> >   riding the first number in the enhanced status code.
> >
> >       /etc/postfix/main.cf:
> >   smtp_delivery_status_filter = pcre:/etc/postfix/smtp_dsn_filter
> >
> >       /etc/postfix/smtp_dsn_filter:
> >   /^4(\.\d+\.\d+ TLS is required, but host \S+ refused to start TLS: .+)/
> >       5$1
> >   /^4(\.\d+\.\d+ TLS is required, but was not offered by host .+)/
> >       5$1
> >   # Do not change the following into hard bounces. They may
> >   # result from a local configuration problem.
> >   # 4.\d+.\d+ TLS is required, but our TLS engine is unavailable
> >   # 4.\d+.\d+ TLS is required, but unavailable
> >   # 4.\d+.\d+ Cannot start TLS: handshake failure
>
> A bit tricky to match exactly the right conditions, but plausible.
> I did not remember whether one could override tempfails to hardfails,
> so I did not suggest this approach...

This can change soft<->hard failures, but it can't change
success<->failure.

This should be sufficient to handle the case that the server does
not announce TLS. It does no cover features that do not yet exist.

        Wietse
Reply | Threaded
Open this post in threaded view
|

Re: postfix does not bounce instantly when remote party does not offer TLS

Wietse Venema
In reply to this post by Stefan Bauer-2
Stefan Bauer:
> Our quick and dirty approach is to parse output of mailq, delete mail and
> construct a bounce message, but that is far away from a clean solution ;/
> No other way available?

Yes, see http://www.postfix.org/postconf.5.html#default_delivery_status_filter

The primary use case was a German user who wanted to fail immediately
if it could not be delivered over TLS.

        Wietse