J.P. Trosclair wrote:
Some of Comcast's MX servers (mx1.comcast.net, mx2.comcast.net are the
ones I've verified so far) appear to be handing out test SSL
certificates, at least that's the best guess I can make from the
research I've done so far. I reserve the right to be absolutely wrong.
I've been battling over this for 2 days now. I've seen other references
to this problem and even some (one from this list back in January)
suggesting that comcast says they're going to fix the problem, but it
doesn't seem that they have. None of the references to the bad SSL
certificate that I've seen have indicated delivery failures such as the
ones I'm about to describe.
The problem this is causing us are connections dropping and connections
timing out while trying to deliver mail to comcast (I don't understand
why just yet). It doesn't happen all the time, but it happens enough
that we're getting complaints about it. For now I've disabled smtp_tls_*
which gets the comcast destined mail out of the queue and on to their
servers. I'm not really happy about these changes and I don't understand
how the bad SSL certs are related to the connection drops and timeouts,
but to the best I can tell they are related because turning off TLS in
the smtp client pushes the mail out just fine. Maybe it's just
coincidence but every single time this has happened, turning off TLS in
the smtp client was the only way I could get the mail to change hands
with comcast without a connection drop or timeout in the middle.
IMHO Comcast's mail servers really suck. I don't think the
self-signed certificates are the real problem, but TLS may be
exacerbating the problem.
Anyway, if disabling TLS seems to fix the problem, you can use
smtp_discard_ehlo_keyword_address_maps to disable TLS when
talking to comcast's mx's. Unfortunately, you need to
populate the map by IP address.
http://www.postfix.org/postconf.5.html#smtp_discard_ehlo_keyword_address_maps
# main.cf
smtp_discard_ehlo_keyword_address_maps =
cidr:/etc/postfix/ehlo_keywords
/etc/postfix/ehlo_keyworks
x.x.x.x/x STARTTLS silent-discard
x.x.x.x/x STARTTLS silent-discard
...
-- Noel Jones
