Adam D. Barratt via Exim-users <exim-users@???> (Sa 16 Okt 2021 17:43:57 CEST):
> >
> > This hh.schlittermann.de runs the latest Exim, and probaby sends you
> > an SNI your server for some reason doesn't accept?
>
> FWIW, I've also seen two of these, at 23:53:41UTC yesterday and
> 11:08:41UTC today. The server in question is running Debian's 4.92-
> 8+deb10u6 exim4-daemon-heavy package and has "tls_sni" set in the log
> selector.
>
> The log entries for the second failed connection are:
>
> 2021-10-16 11:08:40 SMTP connection from [213.128.132.49] (TCP/IP connection count = 1)
> 2021-10-16 11:08:41 TLS error on connection from hh.schlittermann.de [213.128.132.49] (gnutls_handshake): A disallowed SNI server name has been received.
> 2021-10-16 11:08:41 SMTP connection from hh.schlittermann.de [213.128.132.49] closed by EOF
> 2021-10-16 11:08:41 no MAIL in SMTP connection from hh.schlittermann.de [213.128.132.49] D=0s C=EHLO,STARTTLS
>
> The same server has received 21 successful connections from
> hh.schlittermann.de in the past couple of days.
Interesting. Can you tell *what* SNI the server hh sent?
That's what the hh server uses as the transport:
remote_smtp:
driver = smtp
tls_sni = $host
dnssec_request_domains = *
hosts_try_dane = *
hosts_require_dane = +require_dane
hosts_try_fastopen =
So, it sends you *your* hostname as an SNI.
--
Heiko
