> We've suddenly had a couple of reports from users about people sending > to them (e.g. sending from a remote service to our servers) failing and > bouncing with the error message: > > Certificate rejected over TLS. (unknown protocol)
Just to update with more information. So it turns out we'd actually encountered this problem before (Oct 2015), and had put a work around in place at the time. It appears that us.af.mil servers were having problems connecting to our postfix instances and at the time couldn't work out what the obvious reason was so I had added this to our postfix config. main.cf ... # Disable starttls for some problematic hosts smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/access_client-helo_keyword.cidr access_client-helo_keyword.cidr # us.af.mil has TLS problems. IPs taken from SPF record (e.g. dig us.af.mil TXT) 132.3.0.0/16 starttls ... 131.15.70.0/24 starttls It appears recently they must have added additional servers, since their SPF records have changed. Adding these: +131.9.253.0/24 starttls +131.27.1.0/24 starttls Fixed the problem. Ideally I'd like to actually work out what's causing the sending servers to fail with our TLS configuration, but it's a bit of work I haven't had time for, thus this work around for now. -- Rob Mueller r...@fastmail.fm _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
