On Fri, Feb 05, 2016 at 06:42:34AM -0800, Ned Freed wrote:
The implementation and documentation of this was joint work with
Wietse back in early 2006. These days, when STARTTLS fails, Postfix
tries other MX hosts first and if they all fail, defers the mail
initially. Cleartext fallback kicks in on the second delivery
attempt if STARTTLS fails again.
Actually, I consider this approach as unacceptable unless the second
delivery
attempt occurs within a minute or two. (Which, incidentally, is a much
shorter
retry period after deferral than the standards recommend.)
The default is 5 minutes, with doubling exponential backoff up to
a cutoff of somewhat over an hour:
That's borderline IMO.
...
As for "unacceptable", you might find the below fall into that
category:
* IIRC Sendmail never falls back to cleartext if STARTTLS is
advertised.
A fix has been available for a while; the apparent plan is to integrate
it into sendmail 8.16. See:
http://www.sendmail.org/%7Eca/email/patches/tls_failures.p1#sthash.iwHHaXb0.dpuf
for details. However, since the fix doesn't allow for immediate fallback, it
leaves a lot to be desired.
...
As for a delay of < 5 minutes delivering email to such broken sites
it is, for most users, a reasonable trade-off to reduce needless
TLS fallback in the face of routine transmission glitches.
That's a consequence of piggybacking cleartext fallback on the deferral
mechanism you use for transmission failures. It doesn't have to be done this
way.
Ned