Am 23.09.2020 um 19:36 schrieb Mike Tubby via Exim-users:
On 23/09/2020 18:16, Jeremy Harris via Exim-users wrote:
On 23/09/2020 16:59, Bill Cole via Exim-users wrote:
1. You don't allow any TLS versions below 1.2. While that may seem to be
a safety measure, it actually can cause problems because a client that
does not support v1.2 or v1.3 can only resort to sending in clear text.
2. Your server is soliciting client certificates and sending a list of
126 acceptable CAs. Some clients may interpret the solicitation of
client certs as a demand for a client cert, and when they cannot match a
CA on that list, will give up. Unless you are using client certs for
authentication (generally not useful on port 25) there's no reason to
solicit them.
No, neither of those - the GMX end is not even soliciting STARTTLS.
It doesn't get as far as trying a TLS handshake.
My only guess is to try disabling CHUNKING or PRDR advertisement, to see
if one of those is confusing them.
Disable chunking, enable TLS v1.1
Unfortunately already tried that in the meantime.
and are you using RSA or ECC certificates at your end?
It’s plain old RSA 4096. But GMX doesn’t even get that far to start TLS.
Regards,
Christian
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
