openssl s_client -starttls smtp uses the hardcoded EHLO "openssl.client.net".
Advanced spamfilters check EHLO hostnames against blacklists and may reject these sessions since "client.net" is an existing parked domain and blacklisted on jp.surbl.org. Client: #openssl s_client -connect <munged>:25 -starttls smtp -crlf CONNECTED(00000003) didn't found starttls in server response, try anyway... 140655663449768:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:683: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 177 bytes and written 246 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- NOTE: error message reports: "didn't found starttls". Bad grammar, should probably read: "didn't find starttls" MTA log output: Nov 24 09:43:23 <munged> postfix/smtpd[7623]: NOQUEUE: milter-reject: EHLO from unknown[<munged>]: 550 5.7.1 black listed URL host openssl.client.net by <munged>; proto=SMTP helo=<openssl.client.net> Possible fixes: - make the EHLO hostname configurable (preferred) - use the client hostname (which could in turn be rejected because it is often not fully qualified) - use a hostname in the openssl.org domain or one of example.com/example.org/example.net (which could also be rejected since the target server may detect that the client does not belong to these domains) Additional Information: openssl version OpenSSL 1.0.0e 6 Sep 2011 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
