> On Fri, Feb 05, 2016 at 06:42:34AM -0800, Ned Freed wrote: > > > The implementation and documentation of this was joint work with > > > Wietse back in early 2006. These days, when STARTTLS fails, Postfix > > > tries other MX hosts first and if they all fail, defers the mail > > > initially. Cleartext fallback kicks in on the second delivery > > > attempt if STARTTLS fails again. > > > > Actually, I consider this approach as unacceptable unless the second delivery > > attempt occurs within a minute or two. (Which, incidentally, is a much shorter > > retry period after deferral than the standards recommend.) > The default is 5 minutes, with doubling exponential backoff up to > a cutoff of somewhat over an hour: That's borderline IMO. > ... > As for "unacceptable", you might find the below fall into that > category: > * IIRC Sendmail never falls back to cleartext if STARTTLS is > advertised. A fix has been available for a while; the apparent plan is to integrate it into sendmail 8.16. See: http://www.sendmail.org/%7Eca/email/patches/tls_failures.p1#sthash.iwHHaXb0.dpuf for details. However, since the fix doesn't allow for immediate fallback, it leaves a lot to be desired. > ... > As for a delay of < 5 minutes delivering email to such broken sites > it is, for most users, a reasonable trade-off to reduce needless > TLS fallback in the face of routine transmission glitches. That's a consequence of piggybacking cleartext fallback on the deferral mechanism you use for transmission failures. It doesn't have to be done this way. Ned