TLS-sending guarantee @posteo.de
──────────────────────────────────────────────────────────────────────
Today, an internet fellow reported to me a strange issue he had when 
sending me emails from his @posteo.de address. The mail bounced with 
the following error:
 
“ TLS is required, but was not offered by host „ 
 
 What ? I run opensmtpd, whose configuration includes the following 
line:
 
     listen on egress tls pki lucy.z3bra.org
 
This makes the server listen on port 25, and accept securing the 
connection with the STARTTLS command. A quick telnet demonstrates that 
it works as expected:
 
     220 lucy.z3bra.org ESMTP OpenSMTPD
     HELO sweetie
     250 lucy.z3bra.org Hello sweetie [redacted], pleased to meet you
     STARTTLS
     220 2.0.0 Ready to start TLS
 
So what is posteo really complaining about ?
 
After searching a bit, I found that they have an option called « 
TLS-sending guarantee », (off by default). See their article on 
TLS-sending guarantee for further details [0]:
 
“ As standard, before sending each email, Posteo attempts to create 
an encrypted connection with other email servers. If the TLS-sending 
guarantee is activated for your account, we will only send your email 
if it can be securely delivered to the recipient. „
 
My guess is that TLS is checked by connecting to port 465 first, and 
consider it « unsafe » if connection is refused. It is probable that 
checking STARTTLS is costly in terms of resources, because it means 
restarting an already established connection.
 
Of course, opensmtpd supports that, and the configuration was 
*extremely* easy:
 
     listen on egress smtps pki lucy.z3bra.org

You learn something new everyday !
-- 
~wgs

[0]: https://posteo.de/en/help/activating-tls-sending-guarantee

20201020.2031