On Sun, Dec 21, 2025 at 02:17:00PM +0100, A.Schulze via mailop wrote: > Am 15.12.25 um 08:43 schrieb Ralf Hildebrandt via mailop: > > Dec 9 13:04:01 mail-cbf-int extern/smtpd[4088632]: NOQUEUE: lost > > connection after STARTTLS from > > de-smtp-delivery-58.mimecast.com[194.104.109.58] > > Hello Ralf, > > I can't verify your finding "MIMECAST deliver only to RSA" > I checked my logs of my domain's MX: > > May 11 07:00:00 mta postfix/mx/smtpd[11310]: Trusted TLS connection > established from us-smtp-inbound-delivery-1.mimecast.com[170.10.128.81]: > TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)
If this connection continued to an actual message delivery, then sure... > Dec 16 10:00:00 mta postfix/mx/smtpd[8672]: Trusted TLS connection > established from de-smtp-delivery-116.mimecast.com[194.104.111.116]: > TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) > key-exchange x25519 server-signature ECDSA (prime256v1) > server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest > SHA256 Amusing distraction, you managed to elicit an RSA client certificate from the SMTP client... > I compared your and my MX hosts using testssl.sh [1]. Things that are > different: > - you've tls_preempt_cipherlist [2] set to default / no > - your server support Session Resumption by ID > - while mail-cbf-ext.charite.de do not offer DHE cipher, testssl.sh show > "Finite field group: ffdhe2048 ffdhe3072" None of those look particularly relevant, but you surely have a certificate from a different CA. > But maybe these difference are irrelevant to your issue. > > I also suggest you check again your MTA STS Policy host. Hardenize.com still > rate your policy as invalid [3] > > [3] https://www.hardenize.com/report/charite.de/1766319800#email_mta_sts The objection appears to be the trailing blanmk line, that particular nit is unlikely to be material. No other errors are reported. I noted the extraneous blank line a few days back upthread, Ralf should have fixed it by now, but apparently hasn't yet had the opportunity: $ curl -so - https://mta-sts.charite.de/.well-known/mta-sts.txt | cat -etv version: STSv1^M$ mode: enforce^M$ mx: mail-cbf-ext.charite.de^M$ mx: mail-cvk-ext.charite.de^M$ max_age: 1209600^M$ ^M$ -- Viktor. 🇺🇦 Слава Україні! _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
