[pfx] Re: MTA-STS and STARTTLS

Tue, 13 May 2025 06:13:56 -0700 

On 5/13/25 15:04, Viktor Dukhovni via Postfix-users wrote:

On Tue, May 13, 2025 at 02:43:52PM +0200, Gregory Kohring via Postfix-users 
wrote:


posttls-finger -F /etc/ssl/certs/ca-certificates.crt -lsecure -Lsummary 
"[gmail-smtp-in.l.google.com]"

posttls-finger: initializing the client-side TLS engine
posttls-finger: Connected to gmail-smtp-in.l.google.com[142.251.2.27]:25
posttls-finger: < 220 mx.google.com ESMTP 
41be03b00d2f7-b2352ed14e2si12212416a12.613 - gsmtp
posttls-finger: > EHLO mail.mydomain.com
posttls-finger: < 250-mx.google.com at your service, [63.250.35.78]
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 closing connection 
41be03b00d2f7-b2352ed14e2si12212416a12.613 - gsmtp


Something, perhaps a middle-box, or "security software" on your system,
..., is hiding the true EHLO response from GMail (unless for, some
reason, GMail is choosing to not offer you STARTTLS, which seems quite
unlikely).

What you should expect to see is:

     $ posttls-finger -F /etc/ssl/certs/ca-certificates.crt -lsecure -Lsummary 
"[gmail-smtp-in.l.google.com]"
     posttls-finger: Connected to 
gmail-smtp-in.l.google.com[2404:6800:4003:c1c::1b]:25
     posttls-finger: < 220 mx.google.com ESMTP 
d2e1a72fcca58-74237a13b5fsi13072362b3a.139 - gsmtp
     posttls-finger: > EHLO chardros.imrryr.org
     posttls-finger: < 250-mx.google.com at your service, [2403:5812:bcfe::2]
     posttls-finger: < 250-SIZE 157286400
     posttls-finger: < 250-8BITMIME
     posttls-finger: < 250-STARTTLS
     posttls-finger: < 250-ENHANCEDSTATUSCODES
     posttls-finger: < 250-PIPELINING
     posttls-finger: < 250-CHUNKING
     posttls-finger: < 250 SMTPUTF8
     posttls-finger: > STARTTLS
     posttls-finger: < 220 2.0.0 Ready to start TLS
     posttls-finger: Verified TLS connection established to 
gmail-smtp-in.l.google.com[2404:6800:4003:c1c::1b]:25: TLSv1.3 with cipher 
TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519MLKEM768 
server-signature ECDSA (prime256v1) server-digest SHA256
     posttls-finger: > EHLO chardros.imrryr.org
     posttls-finger: < 250-mx.google.com at your service, [2403:5812:bcfe::2]
     posttls-finger: < 250-SIZE 157286400
     posttls-finger: < 250-8BITMIME
     posttls-finger: < 250-ENHANCEDSTATUSCODES
     posttls-finger: < 250-PIPELINING
     posttls-finger: < 250-CHUNKING
     posttls-finger: < 250 SMTPUTF8
     posttls-finger: > QUIT
     posttls-finger: < 221 2.0.0 closing connection 
d2e1a72fcca58-74237a13b5fsi13072362b3a.139 - gsmtp

You're missing:

     posttls-finger: < 250-STARTTLS
     posttls-finger: < 250-PIPELINING
     posttls-finger: < 250-CHUNKING



Thank you. I'll have a chat with our ISP.

_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to