On Thu, May 19, 2016 at 07:26:46PM +0200, Carsten Strotmann (sys4) wrote:
My 2nd MX (smtp3.strotmann.de) is a plain postfix on Debian doing STARTTLS and having DANE TLSA. If the first MX does not offer STARTTLS, shouldn't a sender try the 2nd MX (TLSA authenticated) mail-destination in case the first fails because of missing STARTTLS?
It definitely should. DANE clients should not impose a single point of failure at the primary MX host.
However, your primary MX host has both an IPv4 and an IPv6 address, and if GMX is using Postfix as their outbound, perhaps they've set
http://www.postfix.org/postconf.5.html#smtp_mx_address_limit
to 2? This would preclude ever connecting to your backup MX. Failure to complete TLS handshakes does not count against the
http://www.postfix.org/postconf.5.html#smtp_mx_session_limit
However, the above is a rather improbable wild guess, no idea why they don't try the backup.
I scanned RFC 7672, but couldn't find this case mentioned.
Section 2.2:
A "secure" TLSA RRset with at least one usable record: Any connection to the MTA MUST employ TLS encryption and MUST authenticate the SMTP server using the techniques discussed in the rest of this document. Failure to establish an authenticated TLS connection MUST result in falling back to the next SMTP server or delayed delivery.
I think you know some the GMX staff in person. In which case, reach out to them, they may be able to look into what the problem looks like on their end. If you don't, drop me a note, and I'll forward the contact info I have. They should be interested in ironing out any implementation limitations on their end.