It’s the versions of encryption offered by the host on initiation of STARTTLS. I use ASSP as a spam frontend. Changing from only TLSv1 to SSLv23:!SSLv2:!SSLv3 which is TLS only makes it work with the following flagged error
Note: even though the server appears to be set up correctly for MTA-STS, I recommend using a test like Qualys SSL Labs <https://www.ssllabs.com/ssltest/analyze.html?d=semperen.com&latest> to analyze the HTTP host and to test the mail host <https://en.internet.nl/mail/semperen.com/>. Not sure why it makes a difference since the ! excludes those protocols and leaves TLS 1.0 -> 1.3 enabled. I modified the mta-sts.txt file to be CR-LF terminated and that got rid of that warning It now passes https://aykevl.nl/apps/mta-sts/ <https://aykevl.nl/apps/mta-sts/> in testing mode It also passed https://esmtp.email/tools/mta-sts/ <https://esmtp.email/tools/mta-sts/> in testing mode Thanks for the food for thought! Got me looking in the right direction Eric > On May 15, 2021, at 10:03 AM, Marcel de Riedmatten via mailop > <[email protected]> wrote: > > On 15.05.21 14:43, Arne Jensen via mailop wrote: > >> Den 15-05-2021 kl. 03:53 skrev Eric Germann via mailop: >>> I’ve enabled MTA-STS for the domain semperen.com <http://semperen.com>. >>> > many good remarks snipped >>> My question is what could be the cause of the failure? >>> >>> 1.Certificate validation error in the certificate chain >>> 2.No reverse DNS for the IPv6 address >>> >>> The host is in AWS and has a PTR for IPv4 setup correctly. Not sure >>> if you can do a PTR for IPv6 in AWS > > I would add that trying to connect to the site with > > posttls-finger -P /etc/ssl/certs smtp.semperen.com > > get me tls1.0 only and that might not be tasty to everyone: > > > posttls-finger: using DANE RR: _25._tcp.smtp.semperen.com IN TLSA 3 1 1 > AE:09:ED:EB:71:07:75:5D:83:B6:98:FE:D6:3D:A0:B0:B3:DC:F7:50:14:F1:78:EE:4D:32:99:64:61:95:2B:60 > posttls-finger: Connected to smtp.semperen.com[3.13.72.96]:25 > posttls-finger: < 220 smtp.semperen.com ESMTP Postfix > posttls-finger: > EHLO smtp2.dotforge.ch > posttls-finger: < 250-smtp.semperen.com > posttls-finger: < 250-STARTTLS > posttls-finger: < 250-SIZE 200000000 > posttls-finger: < 250-VRFY > posttls-finger: < 250-AUTH PLAIN LOGIN > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-8BITMIME > posttls-finger: < 250 DSN > posttls-finger: > STARTTLS > posttls-finger: < 220 2.0.0 Ready to start TLS > posttls-finger: smtp.semperen.com[3.13.72.96]:25: depth=0 matched end entity > public-key sha256 > digest=AE:09:ED:EB:71:07:75:5D:83:B6:98:FE:D6:3D:A0:B0:B3:DC:F7:50:14:F1:78:EE:4D:32:99:64:61:95:2B:60 > posttls-finger: smtp.semperen.com[3.13.72.96]:25: Matched subjectAltName: > smtp.semperen.com > posttls-finger: smtp.semperen.com[3.13.72.96]:25: subjectAltName: > www.smtp.semperen.com > posttls-finger: smtp.semperen.com[3.13.72.96]:25 CommonName smtp.semperen.com > posttls-finger: smtp.semperen.com[3.13.72.96]:25: > subject_CN=smtp.semperen.com, issuer_CN=Sectigo RSA Domain Validation Secure > Server CA, > fingerprint=9E:20:AB:54:BF:CB:D8:6E:22:21:A8:9D:4C:69:33:E9:DF:BC:AD:FD, > pkey_fingerprint=9F:D5:08:68:79:73:22:8C:A9:AC:92:89:1D:5C:B1:15:7E:57:FF:DB > posttls-finger: Verified TLS connection established to > smtp.semperen.com[3.13.72.96]:25: TLSv1 with cipher ECDHE-RSA-AES256-SHA > (256/256 bits) > > -- > > Marcel de Riedmatten > > > > _______________________________________________ > mailop mailing list > [email protected] > https://list.mailop.org/listinfo/mailop
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
