TLS-sending guarantee @posteo.de
──────────────────────────────────────────────────────────────────────
Today, an internet fellow reported to me a strange issue he had when
sending me emails from his @posteo.de address. The mail bounced with
the following error:

“ TLS is required, but was not offered by host „

What ? I run opensmtpd, whose configuration includes the following
line:

    listen on egress tls pki lucy.z3bra.org

This makes the server listen on port 25, and accept securing the
connection with the STARTTLS command. A quick telnet demonstrates that
it works as expected:

    220 lucy.z3bra.org ESMTP OpenSMTPD
    HELO sweetie
    250 lucy.z3bra.org Hello sweetie [redacted], pleased to meet you
    STARTTLS
    220 2.0.0 Ready to start TLS

So what is posteo really complaining about ?

After searching a bit, I found that they have an option called «
TLS-sending guarantee », (off by default). See their article on
TLS-sending guarantee for further details [0]:

“ As standard, before sending each email, Posteo attempts to create
an encrypted connection with other email servers. If the TLS-sending
guarantee is activated for your account, we will only send your email
if it can be securely delivered to the recipient. „

My guess is that TLS is checked by connecting to port 465 first, and
consider it « unsafe » if connection is refused. It is probable that
checking STARTTLS is costly in terms of resources, because it means
restarting an already established connection.

Of course, opensmtpd supports that, and the configuration was
*extremely* easy:

    listen on egress smtps pki lucy.z3bra.org

You learn something new everyday !
--
~wgs

[0]: https://posteo.de/en/help/activating-tls-sending-guarantee

20201020.2031

You are viewing proxied material from phlog.z3bra.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.