[pfx] Re: MTA-STS and STARTTLS

Tue, 13 May 2025 06:04:57 -0700 

On Tue, May 13, 2025 at 02:43:52PM +0200, Gregory Kohring via Postfix-users 
wrote:

> posttls-finger -F /etc/ssl/certs/ca-certificates.crt -lsecure -Lsummary 
> "[gmail-smtp-in.l.google.com]"
> 
> posttls-finger: initializing the client-side TLS engine
> posttls-finger: Connected to gmail-smtp-in.l.google.com[142.251.2.27]:25
> posttls-finger: < 220 mx.google.com ESMTP 
> 41be03b00d2f7-b2352ed14e2si12212416a12.613 - gsmtp
> posttls-finger: > EHLO mail.mydomain.com
> posttls-finger: < 250-mx.google.com at your service, [63.250.35.78]
> posttls-finger: < 250-SIZE 157286400
> posttls-finger: < 250-8BITMIME
> posttls-finger: < 250-ENHANCEDSTATUSCODES
> posttls-finger: < 250 SMTPUTF8
> posttls-finger: > QUIT
> posttls-finger: < 221 2.0.0 closing connection 
> 41be03b00d2f7-b2352ed14e2si12212416a12.613 - gsmtp

Something, perhaps a middle-box, or "security software" on your system,
..., is hiding the true EHLO response from GMail (unless for, some
reason, GMail is choosing to not offer you STARTTLS, which seems quite
unlikely).

What you should expect to see is:

    $ posttls-finger -F /etc/ssl/certs/ca-certificates.crt -lsecure -Lsummary 
"[gmail-smtp-in.l.google.com]"
    posttls-finger: Connected to 
gmail-smtp-in.l.google.com[2404:6800:4003:c1c::1b]:25
    posttls-finger: < 220 mx.google.com ESMTP 
d2e1a72fcca58-74237a13b5fsi13072362b3a.139 - gsmtp
    posttls-finger: > EHLO chardros.imrryr.org
    posttls-finger: < 250-mx.google.com at your service, [2403:5812:bcfe::2]
    posttls-finger: < 250-SIZE 157286400
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-CHUNKING
    posttls-finger: < 250 SMTPUTF8
    posttls-finger: > STARTTLS
    posttls-finger: < 220 2.0.0 Ready to start TLS
    posttls-finger: Verified TLS connection established to 
gmail-smtp-in.l.google.com[2404:6800:4003:c1c::1b]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519MLKEM768 
server-signature ECDSA (prime256v1) server-digest SHA256
    posttls-finger: > EHLO chardros.imrryr.org
    posttls-finger: < 250-mx.google.com at your service, [2403:5812:bcfe::2]
    posttls-finger: < 250-SIZE 157286400
    posttls-finger: < 250-8BITMIME
    posttls-finger: < 250-ENHANCEDSTATUSCODES
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-CHUNKING
    posttls-finger: < 250 SMTPUTF8
    posttls-finger: > QUIT
    posttls-finger: < 221 2.0.0 closing connection 
d2e1a72fcca58-74237a13b5fsi13072362b3a.139 - gsmtp

You're missing:

    posttls-finger: < 250-STARTTLS
    posttls-finger: < 250-PIPELINING
    posttls-finger: < 250-CHUNKING

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]

Reply via email to