Author: Mike Tubby Date: To: exim-users Subject: Re: [exim] remote MX does not support STARTTLS
On 23/09/2020 18:16, Jeremy Harris via Exim-users wrote: > On 23/09/2020 16:59, Bill Cole via Exim-users wrote:
>> 1. You don't allow any TLS versions below 1.2. While that may seem to be
>> a safety measure, it actually can cause problems because a client that
>> does not support v1.2 or v1.3 can only resort to sending in clear text.
>>
>> 2. Your server is soliciting client certificates and sending a list of
>> 126 acceptable CAs. Some clients may interpret the solicitation of
>> client certs as a demand for a client cert, and when they cannot match a
>> CA on that list, will give up. Unless you are using client certs for
>> authentication (generally not useful on port 25) there's no reason to
>> solicit them.
> No, neither of those - the GMX end is not even soliciting STARTTLS.
> It doesn't get as far as trying a TLS handshake.
>
> My only guess is to try disabling CHUNKING or PRDR advertisement, to see
> if one of those is confusing them.
Disable chunking, enable TLS v1.1 and are you using RSA or ECC
certificates at your end?
I found that the world+dog (facebook, google, gmail, hotmail, amazon,
apple ...) would talk to my relay servers with Sec-p521 ECC *except*
Microsoft... for some reason Microsoft will only talk to mail servers if
they are using RSA certificates - dumb if you ask me.
