Author: Christian Eyrich Date: To: Bill Cole via Exim-users Subject: Re: [exim] remote MX does not support STARTTLS
Am 23.09.2020 um 17:59 schrieb Bill Cole via Exim-users:
Hi Bill,
> No. Your server seems to support TLS v1.3 and v1.2 just fine.
Generally I’d be happy to read. But in this case it’s a bit disappointing.
> Yes. There are 2 issues that *may* be causing trouble:
>
> 1. You don't allow any TLS versions below 1.2. While that may seem to be
> a safety measure, it actually can cause problems because a client that
> does not support v1.2 or v1.3 can only resort to sending in clear text.
I’d understand if they tried starting TLS and failing because of it. But
they disconnect before even trying.
And second GMX speaks TLS 1.3 fluently (I checked by sending to my
account at a mail provider).
I nevertheless checked by temporarily enabling v1.1 but still failed.
> 2. Your server is soliciting client certificates and sending a list of
> 126 acceptable CAs. Some clients may interpret the solicitation of
> client certs as a demand for a client cert, and when they cannot match a
> CA on that list, will give up. Unless you are using client certs for
> authentication (generally not useful on port 25) there's no reason to
> solicit them.
I was made aware about this unwanted behaviour (I only wanted to try to
verify when sending through tls_try_verify_hosts, not receiving) and
fixed it already, but to no avail.
>> But GMX is a quite large provider here in Germany and the problem
>> persists since begin of September now—shouldn’t somebody have noticed
>> that?
>> Since I also wasn't able to contact the GMX postmaster I’m asking you
>> for ideas.
>
> Since GMX offers free accounts, you might find it useful to get one so
> that you can contact them more easily.
I do have a GMX account. But one doesn't get support with a free account.
