Your question
I am looking for a way to disable TLS for certain domains. I figured that before the upgrade to 0.16, but can’t find the documentation I used back then.
I know I need to create a new TLS strategy with TLS disabled and then change the conditions on when it is used. Remember it was not too easy to get the conditions right. Anyone know a howto?
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
Here is a step-by-step guide based on the current documentation.
How to disable TLS for specific domains on outbound
The process involves two steps: (1) create a MtaTlsStrategy object with STARTTLS disabled, then (2) update the tls expression on MtaOutboundStrategy to select it for the target domain(s).
Step 1 – Create the TLS strategy
In the WebUI go to Settings › MTA › Outbound › TLS Strategies and create a new strategy (e.g. named no-tls) with startTls set to disable:
{
"name": "no-tls",
"startTls": "disable"
}
Step 2 – Wire it up in the Outbound Strategy expression
Go to Settings › MTA › Outbound › Strategy and edit the tls expression on the MtaOutboundStrategy singleton. Use rcpt_domain to match the target domain(s):
{
"tls": {
"match": [
{"if": "rcpt_domain == 'example.com'", "then": "'no-tls'"}
],
"else": "'default'"
}
}
You can add further if clauses for additional domains. The else branch must point to a strategy that already exists (e.g. your default MtaTlsStrategy).
Key variables available in the expression:
rcpt_domain – the recipient’s domain (most useful here)mx – the resolved MX hostname (useful if you want to match by mail server rather than envelope domain)
Full details, including the “progressively relax TLS on retry” pattern, are in the docs:
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.