Following Dukhovni's analysis, I contacted the ISP hosting our
VPS mail server. They sent the following explanation for why
STARTTLS does not appear in the SMTP handshake, but Google
insists our emails were delivered over TLSv1.3 in accordance with
their MTA-STS policy.
"All outgoing mail from our network is relayed through a spam
filtering system that may affect how certain TLS negotiation
stages (like 250-STARTTLS) are exposed during the
SMTP handshake.
That said, TLS encryption is still enforced between our relay
system and the recipient's mail servers. This means your outgoing
messages are still being delivered securely, even if 250-STARTTLS
isn't explicitly shown during your tests.
Unfortunately, this is standard industry practice and cannot be
disabled."
On 5/13/25 15:13, Gregory Kohring wrote:
On 5/13/25 15:04, Viktor Dukhovni via Postfix-users wrote:
On Tue, May 13, 2025 at 02:43:52PM +0200, Gregory Kohring via
Postfix-users wrote:
posttls-finger -F /etc/ssl/certs/ca-certificates.crt -lsecure
-Lsummary "[gmail-smtp-in.l.google.com]"
posttls-finger: initializing the client-side TLS engine
posttls-finger: Connected to gmail-smtp-
in.l.google.com[142.251.2.27]:25
posttls-finger: < 220 mx.google.com ESMTP 41be03b00d2f7-
b2352ed14e2si12212416a12.613 - gsmtp
posttls-finger: > EHLO mail.mydomain.com
posttls-finger: < 250-mx.google.com at your service,
[63.250.35.78]
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 closing connection 41be03b00d2f7-
b2352ed14e2si12212416a12.613 - gsmtp
Something, perhaps a middle-box, or "security software" on your
system,
..., is hiding the true EHLO response from GMail (unless for, some
reason, GMail is choosing to not offer you STARTTLS, which
seems quite
unlikely).
What you should expect to see is:
$ posttls-finger -F /etc/ssl/certs/ca-certificates.crt -
lsecure -Lsummary "[gmail-smtp-in.l.google.com]"
posttls-finger: Connected to gmail-smtp-
in.l.google.com[2404:6800:4003:c1c::1b]:25
posttls-finger: < 220 mx.google.com ESMTP
d2e1a72fcca58-74237a13b5fsi13072362b3a.139 - gsmtp
posttls-finger: > EHLO chardros.imrryr.org
posttls-finger: < 250-mx.google.com at your service,
[2403:5812:bcfe::2]
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-CHUNKING
posttls-finger: < 250 SMTPUTF8
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: Verified TLS connection established to
gmail-smtp-in.l.google.com[2404:6800:4003:c1c::1b]:25: TLSv1.3
with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange
X25519MLKEM768 server-signature ECDSA (prime256v1) server-
digest SHA256
posttls-finger: > EHLO chardros.imrryr.org
posttls-finger: < 250-mx.google.com at your service,
[2403:5812:bcfe::2]
posttls-finger: < 250-SIZE 157286400
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-CHUNKING
posttls-finger: < 250 SMTPUTF8
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 closing connection
d2e1a72fcca58-74237a13b5fsi13072362b3a.139 - gsmtp
You're missing:
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-CHUNKING
Thank you. I'll have a chat with our ISP.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
