On 22 Sep 2020, at 12:10, Christian Eyrich via Exim-users wrote:
Hi,
a few weeks ago the GMX mail servers stopped sending mails to my
server.
The GMX mailer daemon writes:
A message that you sent could not be delivered to one or more of
its recipients. This is a permanent error. The following
address(es)
failed:
[email protected]:
remote MX does not support STARTTLS
Thing is that my mail server does support STARTTLS and also advertises
this which I verify in the Exim debug log and was also record with
tshark:
20 212.227.15.19 → 94.16.119.13 SMTP 85 C: EHLO mout.gmx.net
21 94.16.119.13 → 212.227.15.19 SMTP 224 S:
250-mail.eyrich-net.org: Hello mout.gmx.net [212.227.15.19] | 250-SIZE
52428800 | 250-8BITMIME | 250-PIPELINING | 250-CHUNKING | 250-STARTTLS
| 250-PRDR | 250 HELP
22 212.227.15.19 → 94.16.119.13 TCP 66 41705 → 25 [FIN, ACK]
Seq=20 Ack=228 Win=64128 Len=0 TSval=3976249530 TSecr=307582370
23 94.16.119.13 → 212.227.15.19 SMTP 114 S: 421
mail.eyrich-net.org: lost input connection
Has something like that happened to you in the past or can you
reproduce it on my server?
No. Your server seems to support TLS v1.3 and v1.2 just fine.
BTW: Yes, mails from other systems arrive without problems. So that
looks like a general GMX error to me.
Yes. There are 2 issues that *may* be causing trouble:
1. You don't allow any TLS versions below 1.2. While that may seem to be
a safety measure, it actually can cause problems because a client that
does not support v1.2 or v1.3 can only resort to sending in clear text.
2. Your server is soliciting client certificates and sending a list of
126 acceptable CAs. Some clients may interpret the solicitation of
client certs as a demand for a client cert, and when they cannot match a
CA on that list, will give up. Unless you are using client certs for
authentication (generally not useful on port 25) there's no reason to
solicit them.
I do not know that GMX is making the specific errors that would make
those configuration choices impair their delivery to you, but it is
possible and there's not a strong argument for either unusual choice.
But GMX is a quite large provider here in Germany and the problem
persists since begin of September now—shouldn’t somebody have
noticed that?
Since I also wasn't able to contact the GMX postmaster I’m asking
you for ideas.
Since GMX offers free accounts, you might find it useful to get one so
that you can contact them more easily.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
