Viktor Dukhovni wrote the following on 07/02/14 19:07:
On Thu, Feb 06, 2014 at 05:37:16PM +0000, Alan Munday wrote:
>> I did try CA:FALSE but this was causing outlook.com mail to fail >> (and, as Viktor stated, mail from other domains as well). > > Usually, the CA certificate is created using a different extension > section (not "usr_cert"). You then have "CA:FALSE" in "usr_cert", > and "CA:TRUE" in the CA extension section. I'll try this.
You now have working TLS on mx1, so that's fine. As for mx3 its problem is not TLS. Almost certainly any large packets sent by mx3 will run into the same MTU issue. For example, it likely can't send bounces... Try to send a large message from mx3 to the outside world. If that works, but sending a TLS certificate to the client does not, I'll be surprised (a less obvious explanation will be required for the reported symptoms, perhaps hardware problems with the NIC that corrupt some data and not other data, ...).
I did follow-up with the results of some tcpdumps which showed where the problem was.
The ISP suggested taking the MTU down to 1400 and if that did not work to try changing the encapsulation type from PPPoA to PPPoE. Moving to PPoE was the option that worked.
That was at about 17:00 and I've not seen any TLS establishment failures since.
Thank you. Alan
