On Thu, 23 Oct 2025 at 12:07, Fehlauer, Norbert via mailop <[email protected]> wrote: > > Hi, > > just after writing this question it came to my mind, that it might be our ECC > certificate.
You do not support TLSv1.3, just TLSv1.2. You only have an ECC certificate, not an RSA certificate. Therefore, you only support TLSv1.2 with just the following 4 ciphers: ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-SHA256 This is because in TLSv1.2 a ECC certificate restricts the available ciphers to ECDSA ciphers. This is a pretty limited configuration, it's not a surprise you have some compatibility issues. You should upgrade to support TLSv1.3 as well as TLSv1.2 and downgrade from ECC to RSA 2048 bit certificate for compatibility in the TLSv1.2 space. If we take a look what Office 365 supports, first of all they support TLSv1.3 and only use RSA certificates. The supported TLSv1.2 ciphers are: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA AES256-GCM-SHA384 AES128-GCM-SHA256 AES256-SHA256 AES128-SHA256 AES256-SHA AES128-SHA I know this kind of argument is frowned upon, but you can have the luxury of not having to troubleshoot TLS problems on your email setup at all if you just make sure you support the same ciphers than Gmail and O365. You can use testssl.sh for example to troubleshoot this. Lukas _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
