TLS is required, but was not offered by <host>

DELUSiONAL

Hello all,

So I’m trying to sent an e-mail from a domain hosted on a Mailcow instance to an domain that does not support or have TLS and DANE not properly configured. I instant get the mail back with:

<user@sub.domain.tld>: TLS is required, but was not offered by
    host mail.sub.domain.tld[123.123.123.123]

I’m trying to figure out why I can’t get rid of this error, dispite of all my tries of changing the configs.
I tried:

Put the effected domain in “TLS policy maps” with to policy set to “none”, also tried “may” but the same result
Put alle kinds of values (on by one and in several combinations (read on the forum and in the Postfix docs)).
Some examples:

#
# added in /opt/mailcow-dockerized/data/conf/postfix/extra.cf
#
smtp_tls_security_level = may

smtp_tls_policy_maps = proxy:mysql:/opt/postfix/conf/sql/mysql_tls_policy_override_maps.cf
smtp_tls_security_level = dane
smtp_dns_support_level = dnssec
smtp_tls_loglevel = 1

smtpd_tls_mandatory_protocols =
smtpd_tls_protocols =
smtp_tls_mandatory_protocols =
smtp_tls_protocols =

Restarted the containers after earch adjustment
docker compose restart postfix-tlspol-mailcow postfix-mailcow
Several restarts of the complete Mailcow stack

This is exactly what happens in the logs the moment when when the “send” button in pressed.

postfix-mailcow-1  | Jan 26 13:51:56 2e680ac4c4f8 postfix/sogo/smtpd[1862]: connect from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248]
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/sogo/smtpd[1862]: 1729CC2246: client=mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248], sasl_method=plain, sasl_username=user@mydomain.tld
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/cleanup[1863]: 1729CC2246: replace: header Received: from 35282a9aba3d (mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network [172.22.1.248])??(Authenticated sender: user@mydomain.tld)??by mail.mydomain.tld (Postcow) with ESMTPA id 1729CC from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248]; from=<user@mydomain.tld> to=<user@sub.domain.tld> proto=ESMTP helo=<35282a9aba3d>: Received: from [127.0.0.1] (localhost [127.0.0.1]) by localhost (Mailerdaemon) with ESMTPA id 1729CC2246??for <user@sub.domain.tld>; Mon, 26 Jan 2026 13:51:57 +0100 (CET)
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/cleanup[1863]: 1729CC2246: message-id=<552b1062-0a90-4808-426a-c4571f24d71a@mydomain.tld>
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/cleanup[1863]: 1729CC2246: prepend: header Content-Type: multipart/alternative; boundary="----=_=-_OpenGroupware_org_NGMime-71-1769431916.931647-4------" from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248]; from=<user@mydomain.tld> to=<user@sub.domain.tld> proto=ESMTP helo=<35282a9aba3d>: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/cleanup[1863]: 1729CC2246: prepend: header Content-Type: text/plain; charset=utf-8 from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248]; from=<user@mydomain.tld> to=<user@sub.domain.tld> proto=ESMTP helo=<35282a9aba3d>: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/cleanup[1863]: 1729CC2246: prepend: header Content-Type: text/html; charset=utf-8 from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248]; from=<user@mydomain.tld> to=<user@sub.domain.tld> proto=ESMTP helo=<35282a9aba3d>: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive;
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/qmgr[374]: 1729CC2246: from=<user@mydomain.tld>, size=1140, nrcpt=1 (queue active)
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/sogo/smtpd[1862]: disconnect from mailcowdockerized-sogo-mailcow-1.mailcowdockerized_mailcow-network[172.22.1.248] ehlo=1 auth=1 mail=1 rcpt=1 data=1 quit=1 commands=6
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 enforced-tls-smtp/smtp[1864]: 1729CC2246: to=<user@sub.domain.tld>, relay=mail.sub.domain.tld[123.123.123.123]:25, delay=0.51, delays=0.44/0.01/0.06/0, dsn=5.7.4, status=bounced (TLS is required, but was not offered by host mail.sub.domain.tld[123.123.123.123])
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/cleanup[1866]: 82685C2122: message-id=<20260126125157.82685C2122@mail.mydomain.tld>
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/bounce[1865]: 1729CC2246: sender non-delivery notification: 82685C2122
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/qmgr[374]: 82685C2122: from=<>, size=3772, nrcpt=1 (queue active)
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/qmgr[374]: 1729CC2246: removed
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/lmtp[1868]: 82685C2122: to=<user@mydomain.tld>, relay=dovecot[fd4d:6169:6c63:6f77::a]:24, delay=0.03, delays=0/0/0/0.02, dsn=2.0.0, status=sent (250 2.0.0 <user@mydomain.tld> UKloIG1jd2nBeAAAbfkwIQ Saved)
postfix-mailcow-1  | Jan 26 13:51:57 2e680ac4c4f8 postfix/qmgr[374]: 82685C2122: removed

What am I doing wrong?

Thanks in advance for your fresh look at things!

ETNyx

By this log line postfix-mailcow-1 | Jan 26 13:51:57 2e680ac4c4f8 enforced-tls-smtp/smtp[1864]: 1729CC2246: to=<user@sub.domain.tld>, relay=mail.sub.domain.tld[123.123.123.123]:25, delay=0.51, delays=0.44/0.01/0.06/0, dsn=5.7.4, status=bounced (TLS is required, but was not offered by host mail.sub.domain.tld[123.123.123.123]) you can see that, your mail is routed through enforced-tls-smtp postfix transport. As you can see it is overriding your smtp_tls_security_level. That’s why,..

DELUSiONAL

Ah, yes, I see. Totally look over that. Thanks for pointing that out to me.
I adjusted:
-o smtp_tls_security_level=encrypt" to -o smtp_tls_security_level=may in /opt/mailcow-dockerized/data/conf/postfix/master.cf

And now I’m able to send.

What I don’t get is the point of TLS policy maps.
Because the postfix/master.cf effects the entire Mailcow server with all of it’s domains serving.

edit: typo

ETNyx

I would suggest to revert your change and investigate further (not sure if your change will survive next update,…). You may find a bug and fix it for all of us, or that you miss something.

DELUSiONAL What I don’t get is the point of TLS policy maps.
Because the postfix/master.cf effects the entire Mailcow server with all of it’s domains serving.

In UI there is setting of enforcing TLS, this should decide if you are forcing your users to use smtp_enforced_tls or more relaxed smtp transport (this one will honor your smtp_tls_security_level in main/extra config file). Think this is the query that decide what transport use to.

So, first find sender of that message and check that config in UI. Possibly test that query if it works, and investigate further.