Am 15.12.25 um 08:43 schrieb Ralf Hildebrandt via mailop:
Dec 9 13:04:01 mail-cbf-int extern/smtpd[4088632]: NOQUEUE: lost connection after STARTTLS from de-smtp-delivery-58.mimecast.com[194.104.109.58]
Hello Ralf, I can't verify your finding "MIMECAST deliver only to RSA" I checked my logs of my domain's MX: May 11 07:00:00 mta postfix/mx/smtpd[11310]: Trusted TLS connection established from us-smtp-inbound-delivery-1.mimecast.com[170.10.128.81]: TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits) Dec 16 10:00:00 mta postfix/mx/smtpd[8672]: Trusted TLS connection established from de-smtp-delivery-116.mimecast.com[194.104.111.116]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256 Similar result in my office' logs. They also prove, MIMECAST *do* deliver to servers using ECDSA certs with 256 and 384 key size I compared your and my MX hosts using testssl.sh [1]. Things that are different: - you've tls_preempt_cipherlist [2] set to default / no - your server support Session Resumption by ID - while mail-cbf-ext.charite.de do not offer DHE cipher, testssl.sh show "Finite field group: ffdhe2048 ffdhe3072" But maybe these difference are irrelevant to your issue. I also suggest you check again your MTA STS Policy host. Hardenize.com still rate your policy as invalid [3] Andreas [1] https://github.com/testssl/testssl.sh [2] https://www.postfix.org/postconf.5.html#tls_preempt_cipherlist [3] https://www.hardenize.com/report/charite.de/1766319800#email_mta_sts _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
