Issues delivering mail from GMX to my postfix
Carsten Strotmann (sys4)
cs at sys4.de
Thu May 19 19:26:46 CEST 2016
Hello Viktor,
On 05/19/16 18:04, Viktor Dukhovni wrote:
> On Thu, May 19, 2016 at 05:02:59PM +0200, Carsten Strotmann (sys4) wrote:
>
>>> posttls-finger: Verified TLS connection established to
>>> smtp2.strotmann.de[5.45.109.212]:25: TLSv1.2 with cipher
>>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>>> posttls-finger: > EHLO mx3.grsi.com
>>> posttls-finger: < 500 5.5.1 Command unrecognized
>>> posttls-finger: EHLO rejected: 500 5.5.1 Command unrecognized
>>> posttls-finger: > QUIT
>>>
>>> I am not sure what is talking here, but it's not postfix and it's not
>>> allowing the ehlo to be processed.
>>>
>>
>> This is OpenBSDs "spamd" intercepting. I need to check why it is
>> intercepting here, and not transparent piping towards the Postfix.
>>
>> Thanks for the pointers, I will check that.
>
> I was going to guess that spamd or similar is the most likely
> culprit, even before you said you're running it.
>
> https://dane.sys4.de/common_mistakes#8
>
> It might be enabling TLS only for cached "known good" clients, but
> that is not compatible with DANE.
>
this seems to be the issue, Although "spamd" in its latest version does
support TLS, *my* installation has stopped to offer STARTTLS. I need to
check why that is.
It also might be this issue:
<https://groups.google.com/forum/#!topic/mailing.openbsd.bugs/dK22QW-fWCk>
I will try the patch and check again.
My 2nd MX (smtp3.strotmann.de) is a plain postfix on Debian doing
STARTTLS and having DANE TLSA. If the first MX does not offer STARTTLS,
shouldn't a sender try the 2nd MX (TLSA authenticated) mail-destination
in case the first fails because of missing STARTTLS?
If scanned RFC 7672, but couldn't find this case mentioned.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/mailman/private/dane-users/attachments/20160519/3511d070/attachment-0001.asc>
More information about the dane-users
mailing list