On 22 Sep 2020, at 12:10, Christian Eyrich via Exim-users wrote:
> Hi,
>
> a few weeks ago the GMX mail servers stopped sending mails to my
> server.
>
> The GMX mailer daemon writes:
> A message that you sent could not be delivered to one or more of
> its recipients. This is a permanent error. The following
> address(es)
> failed:
> christian@???:
> remote MX does not support STARTTLS
>
> Thing is that my mail server does support STARTTLS and also advertises
> this which I verify in the Exim debug log and was also record with
> tshark:
>
> 20 212.227.15.19 → 94.16.119.13 SMTP 85 C: EHLO mout.gmx.net
> 21 94.16.119.13 → 212.227.15.19 SMTP 224 S:
> 250-mail.eyrich-net.org: Hello mout.gmx.net [212.227.15.19] | 250-SIZE
> 52428800 | 250-8BITMIME | 250-PIPELINING | 250-CHUNKING | 250-STARTTLS
> | 250-PRDR | 250 HELP
> 22 212.227.15.19 → 94.16.119.13 TCP 66 41705 → 25 [FIN, ACK]
> Seq=20 Ack=228 Win=64128 Len=0 TSval=3976249530 TSecr=307582370
> 23 94.16.119.13 → 212.227.15.19 SMTP 114 S: 421
> mail.eyrich-net.org: lost input connection
>
> Has something like that happened to you in the past or can you
> reproduce it on my server?
No. Your server seems to support TLS v1.3 and v1.2 just fine.
> BTW: Yes, mails from other systems arrive without problems. So that
> looks like a general GMX error to me.
Yes. There are 2 issues that *may* be causing trouble:
1. You don't allow any TLS versions below 1.2. While that may seem to be
a safety measure, it actually can cause problems because a client that
does not support v1.2 or v1.3 can only resort to sending in clear text.
2. Your server is soliciting client certificates and sending a list of
126 acceptable CAs. Some clients may interpret the solicitation of
client certs as a demand for a client cert, and when they cannot match a
CA on that list, will give up. Unless you are using client certs for
authentication (generally not useful on port 25) there's no reason to
solicit them.
I do not know that GMX is making the specific errors that would make
those configuration choices impair their delivery to you, but it is
possible and there's not a strong argument for either unusual choice.
> But GMX is a quite large provider here in Germany and the problem
> persists since begin of September now—shouldn’t somebody have
> noticed that?
> Since I also wasn't able to contact the GMX postmaster I’m asking
> you for ideas.
Since GMX offers free accounts, you might find it useful to get one so
that you can contact them more easily.
--
Bill Cole
bill@??? or billcole@???
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
