On Sat, Nov 01, 2025 at 03:50:10PM +1100, Viktor Dukhovni via Exim-users wrote:
> > Well, that's ugly in combination with DANE... eg. mail[12].polisen.se needs
> > it
> > # openssl s_client -starttls smtp -connect mail1.polisen.se:25 -groups
> > "X25519MLKEM768:*X25519:P-256:ffdhe3072"
> > works, but with MLKEM [as an unsolicited initial keyshare] it doesn't.
>
> Thanks, that's now three not particularly obscure domains I'm aware of
> with MX hosts that exhibit symptoms of aversion to larger TLS Client
> Hellos. The other two being "minaz.nl" and "handelshanken.se". I've
> sent notices to contact email addresses of the latter two, I hope
> they'll take prompt action. Have you by any chance made contact with
> polisen.se?
By the way, probing more closely, I encounter TLS handshake timeouts
with mail[12].polisen.se only over IPv6, otherwise identical IPv4 TLS
handshakes with X25519MLKEM768 keyshares succeed.
--
Viktor. 🇺🇦 Слава Україні!
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
