Hello list,

We've setup a nginx reverse smtp proxy to load balance incoming access to our mailservers.
Everything is fine... until

Some remote sites have broken tls setups and can't deliver mails anymore. Some didn't accept Let's Encrypt as CA for instance.
Now I'm searching a way to not provide STARTTLS to them.
The AUTH Methode is to late here because it will be started after "rcpto to:".
Is there way to call an "Auth Script" after Client-Helo and decide whether dto send STARTTLS Option or not?

I know i can do some redirect with the firewall but i would like to add some logic to the desition to provide STARTTLS or not.

Tnx for reading .
/ramber