On Tue, Dec 24, 2024 at 12:33:04PM -0800, Randy Bush via Postfix-users wrote:
> why is the actual mail not transferred. how to debug?
>
> 2024-12-24T20:27:05.074565+00:00 m0 postfix/smtpd[188336]: connect from
> mail-koreacentralazon11023102.outbound.protection.outlook.com[40.107.44.102]
> 2024-12-24T20:27:05.482255+00:00 m0 postfix/smtpd[188336]: setting up TLS
> connection from
> mail-koreacentralazon11023102.outbound.protection.outlook.com[40.107.44.102]
> 2024-12-24T20:27:05.482713+00:00 m0 postfix/smtpd[188336]:
> mail-koreacentralazon11023102.outbound.protection.outlook.com[40.107.44.102]:
> TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH"
> 2024-12-24T20:27:05.483096+00:00 m0 postfix/smtpd[188336]: SSL_accept:before
> SSL initialization
> 2024-12-24T20:27:05.692962+00:00 m0 postfix/smtpd[188336]: SSL_accept:before
> SSL initialization
> 2024-12-24T20:27:05.693067+00:00 m0 postfix/smtpd[188336]:
> SSL_accept:SSLv3/TLS read client hello
> 2024-12-24T20:27:05.694052+00:00 m0 postfix/smtpd[188336]:
> SSL_accept:SSLv3/TLS write server hello
> 2024-12-24T20:27:05.694260+00:00 m0 postfix/smtpd[188336]:
> SSL_accept:SSLv3/TLS write change cipher spec
> 2024-12-24T20:27:05.694412+00:00 m0 postfix/smtpd[188336]: SSL_accept:TLSv1.3
> write encrypted extensions
> 2024-12-24T20:27:05.694569+00:00 m0 postfix/smtpd[188336]:
> SSL_accept:SSLv3/TLS write certificate
> 2024-12-24T20:27:05.694803+00:00 m0 postfix/smtpd[188336]: SSL_accept:TLSv1.3
> write server certificate verify
> 2024-12-24T20:27:05.695047+00:00 m0 postfix/smtpd[188336]:
> SSL_accept:SSLv3/TLS write finished
> 2024-12-24T20:27:05.695166+00:00 m0 postfix/smtpd[188336]: SSL_accept:TLSv1.3
> early data
> 2024-12-24T20:27:05.900134+00:00 m0 postfix/smtpd[188336]: SSL_accept:TLSv1.3
> early data
> 2024-12-24T20:27:05.900509+00:00 m0 postfix/smtpd[188336]:
> SSL_accept:SSLv3/TLS read finished
> 2024-12-24T20:27:05.900716+00:00 m0 postfix/smtpd[188336]:
> mail-koreacentralazon11023102.outbound.protection.outlook.com[40.107.44.102]:
> Issuing session ticket, key expiration: 1735073795
> 2024-12-24T20:27:05.900904+00:00 m0 postfix/smtpd[188336]:
> SSL_accept:SSLv3/TLS write session ticket
> 2024-12-24T20:27:05.901078+00:00 m0 postfix/smtpd[188336]: Anonymous TLS
> connection established from
> mail-koreacentralazon11023102.outbound.protection.outlook.com[40.107.44.102]:
> TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE
> (secp384r1) server-signature ECDSA (prime256v1) server-digest SHA256
> 2024-12-24T20:27:06.105081+00:00 m0 postfix/smtpd[188336]: disconnect from
> mail-koreacentralazon11023102.outbound.protection.outlook.com[40.107.44.102]
> ehlo=1 starttls=1 quit=1 commands=3
Randy, I'm disappointed... After all these years of sending you notices
about (not) keeping your DANE TLSA records matching your deployed certs,
you're still winging it:
https://stats.dnssec-tools.org/explore/?psg.com
Date: Wed, 30 Dec 2015 19:54:09 +0000
Date: Sun, 10 Apr 2016 03:09:48 +0000
Date: Wed, 4 May 2016 18:36:01 +0000
Date: Mon, 2 Jan 2017 05:57:07 +0000
Date: Wed, 18 Jan 2017 16:55:56 +0000
Date: Thu, 2 Nov 2023 02:01:00 +0000
Date: Mon, 11 Dec 2023 17:39:58 +0000
Date: Mon, 24 Jun 2024 13:35:29 +0000
I' like to suggest some serious attention to monitoring and process, or
stop publishing DANE TLSA records, DANE isn't a fashion statement, it is
an operational responsibility. It isn't that difficult to do it right,
but some attention to detail is required.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
