Author: Christian Eyrich Date: To: exim-users Subject: Re: [exim] remote MX does not support STARTTLS
Am 23.09.2020 um 19:36 schrieb Mike Tubby via Exim-users: > On 23/09/2020 18:16, Jeremy Harris via Exim-users wrote:
>> On 23/09/2020 16:59, Bill Cole via Exim-users wrote:
>>> 1. You don't allow any TLS versions below 1.2. While that may seem to be
>>> a safety measure, it actually can cause problems because a client that
>>> does not support v1.2 or v1.3 can only resort to sending in clear text.
>>>
>>> 2. Your server is soliciting client certificates and sending a list of
>>> 126 acceptable CAs. Some clients may interpret the solicitation of
>>> client certs as a demand for a client cert, and when they cannot match a
>>> CA on that list, will give up. Unless you are using client certs for
>>> authentication (generally not useful on port 25) there's no reason to
>>> solicit them.
>> No, neither of those - the GMX end is not even soliciting STARTTLS.
>> It doesn't get as far as trying a TLS handshake.
>>
>> My only guess is to try disabling CHUNKING or PRDR advertisement, to see
>> if one of those is confusing them.
>
> Disable chunking, enable TLS v1.1
Unfortunately already tried that in the meantime.
> and are you using RSA or ECC certificates at your end? It’s plain old RSA 4096. But GMX doesn’t even get that far to start TLS.
