On Tue, 22 Sep 2020, Viktor Dukhovni wrote:
On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote:
You might find another one in your logs now. :-)
You're welcome! :)
$ posttls-finger -g HIGH -o tls_high_cipherlist='DEFAULT:!aECDSA' -p
'!TLSv1.3' mars.unx.se
posttls-finger: Connected to mx.unx.se[2600:3c04::f03c:91ff:feea:d4d]:25
posttls-finger: < 220 phobos.unx.se ESMTP
posttls-finger: > EHLO amnesiac
posttls-finger: < 250-phobos.unx.se
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 10240000
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 CHUNKING
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: SSL_connect error to
mx.unx.se[2600:3c04::f03c:91ff:feea:d4d]:25: -1
posttls-finger: warning: TLS library problem: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake
failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40:
I'm running Postfix 3.6-20200830 compiled with openssl-1.1.1g. Using
Let's Encrypt certificate.
Specifically, an ECDSA P-256 certificate, but some systems don't (yet?)
support ECDSA. You'd need an additional RSA certificate to interoperate
with their sending MTA's limited STARTTLS cipher/protocol repertoire.
Oh, yes, you are right!
The combination of a rather ancient, poorly interoperable, TLS stack
(TLSv1 only or preferred, no ECDSA support) with an inability to retry
without STARTTLS makes their SMTP servers rather brittle. One might
reasonably take the view that the problem is theirs to solve.
The host in question, which also happens to run the DMARC mailing list,
uses Sendmail 8.14.5 released 9 years ago, according to their headers.
I'll stick to my ecdsa cert. :)
Thank you for your explanation!
-me
