Are you using fullchain.pem or cert.pem? It sounds like you’re missing an intermediate certificate which fullchain.pem includes. “fullchain.pem: All certificates, including server certificate (aka leaf certificate or end-entity certificate). The server certificate is the first one in this file, followed by any intermediates.” If you don’t have the intermediate, you have a broken chain and hence it won’t be a trusted certificate. Try connecting with: openssl s_client -connect mail.example.com:25 -starttls smtp Pipe to view the certificate chain: openssl s_client -connect mail.example.com:25 -starttls smtp | openssl x509 -text Two EHLO commands are normal. You usually issue a second one to see if the available commands chanced due to SSL. Ie: Auth may not be available via clear text but may be available with SSL.
-M Sent from Yahoo Mail for iPhone On Friday, April 19, 2019, 8:15 PM, Daniel Miller via Assp-test <assp-test@lists.sourceforge.net> wrote: I'm now more confused than usual. I've setup a new server - and it *was* working fine...but then I actually really truly enabled TLS in ASSP (Note to all - if you're going to use certbot's "live" certs directly from any other program make sure you have proper read/enter access to the "live" and "archive" folders). And while many other servers don't seem to have an issue Gmail & Hotmail definitely do. It appear they connect, handshake, and then timeout. If I set NOTLSlistenPorts to 25 Gmail/Hotmail are fine - just no TLS. If anyone wants to test - please try sending to the address "pubtest at danmarkreps.com". Someone from the Postfix group sent me a test message without issue - so I'm not totally broken. I tried the Postfix tool posttls-finger - and I see the following: # posttls-finger danmarkreps.com posttls-finger: Connected to smtp.danmarkreps.com[107.175.220.136]:25 posttls-finger: < 220 mail.danmarkreps.com ESMTP Postfix posttls-finger: > EHLO mail.danmarkreps.com posttls-finger: < 250-mail.danmarkreps.com posttls-finger: < 250-STARTTLS posttls-finger: < 250-SIZE 700000000 posttls-finger: < 250-VRFY posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8BITMIME posttls-finger: < 250-DSN posttls-finger: < 250 NOOP posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 Ready to start TLS posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: Matched subjectAltName: danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: host.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: imap.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: mail.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: Matched subjectAltName: smtp.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subjectAltName: www.danmarkreps.com posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25 CommonName danmarkreps.com posttls-finger: certificate verification failed for smtp.danmarkreps.com[107.175.220.136]:25: untrusted issuer /O=Digital Signature Trust Co./CN=DST Root CA X3 posttls-finger: smtp.danmarkreps.com[107.175.220.136]:25: subject_CN=danmarkreps.com, issuer_CN=Let's Encrypt Authority X3, fingerprint=E2:D2:9F:04:A5:1B:E8:8A:EA:1C:DA:67:81:01:D4:FD:01:97:6B:33, pkey_fingerprint=A0:52:8A:C6:88:89:C0:C1:43:72:9D:29:D5:C2:0D:BD:5F:9B:BC:D6 posttls-finger: Untrusted TLS connection established to smtp.danmarkreps.com[107.175.220.136]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) posttls-finger: > EHLO mail.danmarkreps.com posttls-finger: timeout while sending EHLO posttls-finger: > QUIT posttls-finger: warning: timeout while sending QUIT command I don't understand why there are two "EHLO" commands - one before the STARTTLS and one after but I assume that's correct. But it appears after the STARTTLS handshake things die - at least for this tool and some servers while others send without issue. -- Daniel _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
