I'm now more confused than usual.
I've setup a new server - and it *was* working fine...but then I
actually really truly enabled TLS in ASSP (Note to all - if you're going
to use certbot's "live" certs directly from any other program make sure
you have proper read/enter access to the "live" and "archive" folders).
And while many other servers don't seem to have an issue Gmail & Hotmail
definitely do. It appear they connect, handshake, and then timeout.
If I set NOTLSlistenPorts to 25 Gmail/Hotmail are fine - just no TLS.
If anyone wants to test - please try sending to the address "pubtest at
danmarkreps.com". Someone from the Postfix group sent me a test message
without issue - so I'm not totally broken.
I tried the Postfix tool posttls-finger - and I see the following:
# posttls-finger danmarkreps.com
posttls-finger: Connected to smtp.danmarkreps.com[107.175.220.136]:25
posttls-finger: < 220 mail.danmarkreps.com ESMTP Postfix
posttls-finger: > EHLO mail.danmarkreps.com
posttls-finger: < 250-mail.danmarkreps.com
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-SIZE 700000000
posttls-finger: < 250-VRFY
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 NOOP
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: Matched
subjectAltName: danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25:
subjectAltName: host.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25:
subjectAltName: imap.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25:
subjectAltName: mail.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: Matched
subjectAltName: smtp.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25:
subjectAltName: www.danmarkreps.com
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25 CommonName
danmarkreps.com
posttls-finger: certificate verification failed for
smtp.danmarkreps.com[107.175.220.136]:25: untrusted issuer /O=Digital
Signature Trust Co./CN=DST Root CA X3
posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25:
subject_CN=danmarkreps.com, issuer_CN=Let's Encrypt Authority X3,
fingerprint=E2:D2:9F:04:A5:1B:E8:8A:EA:1C:DA:67:81:01:D4:FD:01:97:6B:33,
pkey_fingerprint=A0:52:8A:C6:88:89:C0:C1:43:72:9D:29:D5:C2:0D:BD:5F:9B:BC:D6
posttls-finger: Untrusted TLS connection established to
smtp.danmarkreps.com[107.175.220.136]:25: TLSv1.3 with cipher
TLS_AES_256_GCM_SHA384 (256/256 bits)
posttls-finger: > EHLO mail.danmarkreps.com
posttls-finger: timeout while sending EHLO
posttls-finger: > QUIT
posttls-finger: warning: timeout while sending QUIT command
I don't understand why there are two "EHLO" commands - one before the
STARTTLS and one after but I assume that's correct. But it appears after
the STARTTLS handshake things die - at least for this tool and some
servers while others send without issue.
--
Daniel
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
