Hello Patrick, Patrick Domack wrote: > Looks like two different issues. > > The certificate name on smtp3.strotmann.de doesn't match, it is > mail.tidelock.de instead.
Yes, true, but that should not be an issue when using DANE-EE(3) From https://tools.ietf.org/html/rfc7671#section-5.1 > In particular, the binding of the server public key to its > name is based entirely on the TLSA record association. The server > MUST be considered authenticated even if none of the names in the > certificate match the client's reference identity for the server. > > When using smtp2.strotmann.de, the TLS/DANE part works fine, but after > this, and you attempt to send an email, it fails. > posttls-finger: Verified TLS connection established to > smtp2.strotmann.de[5.45.109.212]:25: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > posttls-finger: > EHLO mx3.grsi.com > posttls-finger: < 500 5.5.1 Command unrecognized > posttls-finger: EHLO rejected: 500 5.5.1 Command unrecognized > posttls-finger: > QUIT > > I am not sure what is talking here, but it's not postfix and it's not > allowing the ehlo to be processed. > This is OpenBSDs "spamd" intercepting. I need to check why it is intercepting here, and not transparent piping towards the Postfix. Thanks for the pointers, I will check that. -- Carsten
signature.asc
Description: OpenPGP digital signature
