> On Jan 13, 2019, at 11:46 PM, John Levine <[email protected]> wrote:
>
> @400000005c3c0fa223836c4c tcpserver: ok 78670
> mail1.iecc.com:2001:470:1f07:1126:33:5370:616d:6d31:25
> :2001:558:fe16:19:96:114:154:171::36062
> @400000005c3c0fa31eddb9cc mailfront[78670]: Starting TLS handshake
> @400000005c3c0fa322a0865c mailfront[78670]: SNI value: mx1.taugh.com
> @400000005c3c0fa3231479f4 mailfront[78670]: Using SNI cert file for
> mx1.taugh.com
> @400000005c3c0fa32d79b364 mailfront[78670]: TLS handshake failed: A TLS fatal
> alert has been received.
> @400000005c3c0fa32d79bf1c mailfront[78670]: bytes in: 0 bytes out: 0
Plausibly, based on the logs, the client did not like the handshake,
and sent some sort of alert. Sadly, the logging omits the crucial
alert number or description, so there's not much to go on.
Perhaps these SNI configurations fail to include the intermediate CA
certs? And the client is enforcing use of TLS?
Also, keep in mind that Comcast implements DANE, and you're now
serving a different certificate, that does not match the TLSA
record, then all the pieces fit together...
On the other hand, though I had trouble connecting to your IPv4 service,
your IPv6 SMTP server does seem to have the correct TLSA RRs:
taugh.com. IN MX 20 mx1.taugh.com. ; AD=1 NoError
mx1.taugh.com. IN A 64.57.183.56 ; AD=1 NoError
mx1.taugh.com. IN AAAA 2001:470:1f07:1126:33:5370:616d:6d31 ; AD=1 NoError
_25._tcp.mx1.taugh.com. IN CNAME _25._tcp.mail1.iecc.com. ; AD=1 NoError
_25._tcp.mail1.iecc.com. IN TLSA 3 1 1
eb6cbfd29e89b8debba18703ae532eb1bf76c92d8c421c0f6d8ae49c96427a0d ; AD=1 NoError
mx1.taugh.com[64.57.183.56]: connection timeout
mx1.taugh.com[2001:470:1f07:1126:33:5370:616d:6d31]: pass: TLSA match: depth
= 0
TLS = TLS12 with ECDHE-RSA-AES256GCM-SHA384
name = mail1.iecc.com
depth = 0
Issuer CommonName = Let's Encrypt Authority X3
Issuer Organization = Let's Encrypt
notBefore = 2018-12-09T08:00:40Z
notAfter = 2019-03-09T08:00:40Z
Subject CommonName = mail1.iecc.com
pkey sha256 [matched] <- 3 1 1
eb6cbfd29e89b8debba18703ae532eb1bf76c92d8c421c0f6d8ae49c96427a0d
depth = 1
Issuer CommonName = DST Root CA X3
Issuer Organization = Digital Signature Trust Co.
notBefore = 2016-03-17T16:40:46Z
notAfter = 2021-03-17T16:40:46Z
Subject CommonName = Let's Encrypt Authority X3
Subject Organization = Let's Encrypt
pkey sha256 [nomatch] <- 2 1 1
60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18
But the returned certificate, does not match the SNI name.
If your server has "multiple personality disorder", trying to make
both MTA-STS and DANE work can be daunting, though by using
the same underlying public key, with "3 1 1" records the TLSA
records might be "personality-agnostic". :-)
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
