On Wed, Nov 05, 2014 at 01:27:49PM +0100, Tobias Reckhard wrote:
> Nov 5 12:36:45 pxmail1 postfix/smtp[8378]:
> Trusted TLS connection established to
> mail01.i-sec.tuv.com[193.24.224.9]:25:
> TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)
> Nov 5 12:36:45 pxmail1 postfix/smtp[8378]: >
> mail01.i-sec.tuv.com[193.24.224.9]:25: EHLO mail.customer
> Nov 5 12:36:45 pxmail1 postfix/smtp[8378]: smtp_get: EOF
>
> It looks as though mail01.i-sec.tuv.com dropped the connection, though I
> see no indication of the reason. Strangely, though, in a tcpdump I
> recorded it appears that our customer's system is sending a [RST, ACK]
> packet directly after sending "TLSv1 Application Data", which very
> probably is its EHLO.
You may have read the wrong direction for the Application Data.
The SMTP client speaks first after EHLO.
$ posttls-finger -dsha256 "[mail01.i-sec.tuv.com]"
posttls-finger: Connected to mail01.i-sec.tuv.com[193.24.224.9]:25
posttls-finger: < 220 mail01.i-sec.tuv.com ESMTP
posttls-finger: > EHLO amnesiac.local
posttls-finger: < 250-mail01.i-sec.tuv.com
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SIZE 104857600
posttls-finger: < 250 STARTTLS
posttls-finger: > STARTTLS
posttls-finger: < 220 Go ahead with TLS
...
posttls-finger: Untrusted TLS connection established to
mail01.i-sec.tuv.com[193.24.224.9]:25: unknown with cipher DHE-RSA-AES256-SHA
(256/256 bits)
posttls-finger: > EHLO amnesiac.local
posttls-finger: < 250-mail01.i-sec.tuv.com
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-SIZE 104857600
posttls-finger: < 250-AUTH PLAIN LOGIN
posttls-finger: < 250 AUTH=PLAIN LOGIN
posttls-finger: > QUIT
posttls-finger: < 221 mail01.i-sec.tuv.com
If the direction is correct, and the server was sending application
data, it would be logged as the response to the post-handshake
EHLO.
If building posttls-finger from Postfix 2.11 source is a pain, you
might find "swaks" handy (swaks does a lot more, but does not
support DANE, and does not exercise Postfix TLS library client
features).
--
Viktor.
