Thanks Viktor and Jeremy for your assistance!
So Victor just told, that the SNI problem is related to the crypto fail problem.
So for Jeremys questions:
"exim -bP transport remote_smtp | grep dane"
responds with:
dane_require_tls_ciphers =
hosts_require_dane =
hosts_try_dane = *
which should be the lowest possible configuration, as I tried to change as less than possible.
and there is no mitm or anything else. I captured with tcpdump on the outgoing interface and found
no SNI in the Client Helo
There is also nothing like appArmor or SElinux, no docker or anything like that. Its a core virtual
server with its own ip-address, no outbound firewall, nothing.
I am learning at least, that this Mail-Test seems to earn the label TEST, as I got top-level
scorings for my setup from all the usual culprits out there.
So my result so far looks like:
The connection problem seems to be somewhere in GnuTLS, as exim justs aks GNU-TLS for verification
and does no own decisions, based on GNU-TLS feedback
The problem is triggered by the fact, that my exim is not using SNI (neither with OpenSSL nor with
GNU-TLS).
As I am using in the test environment the default debian configuration, just with the minimal
modifications to make DANE and DKIM work.
regards
Wolfgang
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
