[pfx] Re: MTA-STS and STARTTLS

Tue, 13 May 2025 05:44:16 -0700 



On 5/13/25 14:16, Viktor Dukhovni via Postfix-users wrote:

On Tue, May 13, 2025 at 01:44:14PM +0200, Gregory Kohring via Postfix-users 
wrote:


More likely misconfiguration, or perhaps some middlebox between you and
Gmail.  Test with:

      $ posttls-finger -c -F /etc/ssl/cert.pem -lsecure -Lsummary 
"[gmail-smtp-in.l.google.com]"
      posttls-finger: Verified TLS connection established to 
gmail-smtp-in.l.google.com[2404:6800:4003:c1c::1a]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519MLKEM768 
server-signature ECDSA (prime256v1) server-digest SHA256

replacing "/etc/ssl/cert.pem" with whatever file name holds the trusted
root CAs on your system.  Any middlebox on your end should not be able
to impersonate Gmail (unless it is a locally trusted CA).



posttls-finger -c -F /etc/ssl/certs/ca-certificates.crt -lsecure 
-Ldebug"[gmail-smtp-in.l.google.com]"

returns

posttls-finger: initializing the client-side TLS engine


I am assuming the missing space between the (not requested) -Ldebug and
the SMTP nexthop is an error in posting the command used.  If that's all
the output you got, drop the "-c" and see what the remote server's EHLO
response is from your vantage.




posttls-finger  -F /etc/ssl/certs/ca-certificates.crt -lsecure 
-Ldebug,ssl-debug "[gmail-smtp-in.l.google.com]"


posttls-finger: initializing the client-side TLS engine

posttls-finger: Connected to 
gmail-smtp-in.l.google.com[142.251.2.27]:25
posttls-finger: < 220 mx.google.com ESMTP 
41be03b00d2f7-b2352ed14e2si12212416a12.613 - gsmtp

posttls-finger: > EHLO mail.mydomain.com
posttls-finger: < 250-mx.google.com at your service, [63.250.35.78]
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT

posttls-finger: < 221 2.0.0 closing connection 
41be03b00d2f7-b2352ed14e2si12212416a12.613 - gsmtp


_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org






















					Reply via email to