BTW- my mta2 now has RSA and ECDSA keys. mta2 and mta3 have the CA
cert concatonated with the server cert since I use 2 0 1 TLSA records.
There is no intermediate (I'd just replace the CA and change all of
the TLSA records if the CA key was compromised).
Currently MX are mta3 and mta1 for most domains, mta2 and mta1 for two
domains: one unused for mail so should only get spam; the other used
for mail from IETF mailing list only (and perhaps if someone follows
up with a reply to me - haven't posted in a while so unlikely).
I'll see what effect these changes have on the list of hosts that fail
with ECDSA only. Fallback to secondary MX mta1 (no opportunistic TLS
at all on mta1) seems to only work for comcast.net mail servers.
grep 'SSL_accept error' /var/log/maillog | awk '{print $9;}' | sort |
uniq -c | sort -n
1 206-51-225-153.static.hvvc.us[206.51.225.153]:
1 camomile.cloud9.net[168.100.1.3]:
1 english-breakfast.cloud9.net[168.100.1.7]:
1 mail.bgs-solutions.com.ua[91.239.80.59]:
1 omr-a002e.mx.aol.com[204.29.186.56]:
1 resqmta-ch2-05v.sys.comcast.net[2001:558:fe21:29:69:252:207:37]:
1 resqmta-ch2-05v.sys.comcast.net[69.252.207.37]:
1 server.luingemedia.com[2a00:1e28:3:1653::1]:
1 smtp.cnp.com.hk[118.140.129.18]:
1 smtp.sinos.net[200.160.158.145]:
1 www.flixs-system.net[119.18.217.142]:
2 78.108.233.62.as20860.net[62.233.108.78]:
2 research-scan.cis.upenn.edu[158.130.6.191]:
2 resqmta-ch2-04v.sys.comcast.net[69.252.207.36]:
3 unknown[118.140.129.18]:
4 resqmta-ch2-04v.sys.comcast.net[2001:558:fe21:29:69:252:207:36]:
6 antispam.ma.gov.br[201.18.153.129]:
8 mail3.seati.ma.gov.br[201.18.153.129]:
11 s330.xrea.com[203.189.105.152]:
13 resqmta-ch2-09v.sys.comcast.net[69.252.207.41]:
14 mailhost.hoaglandlongo.com[65.51.230.181]:
20 unknown[101.231.51.114]:
20 www2816m.sakura.ne.jp[49.212.65.16]:
26 resqmta-ch2-09v.sys.comcast.net[2001:558:fe21:29:69:252:207:41]:
101 rrcs-74-219-137-204.central.biz.rr.com[74.219.137.204]:
Some of the one failure ones above retried without TLS. Some
delivered spam and were bounced. research-scan.cis.upenn.edu
connected to all my MX, some successful, but didn't deliver any mail.
Most of the high repeats are likely spammers. biz.rr.com is time
warner business cable who does not retry with no TLS or fallback to
secondary MX but are quite persistant (no loss for me - little doubt
this is a spammer).
Also note that comcast.net does not fall back to no-TLS but it does
fall back to the secondary MX. On the secondary it seems that I got
13 log entries with "connect from resqmta-ch2-09v.sys.comcast.net" on
the secondary MX with one email delivered. All others ended in
"timeout after DATA".
Seems like 47 connects on mta3 and then 13 connects on mta1 to deliver
one mail message. Not good. No further connects since that one mail
message was delivered.
mta2 only accepts TLSv1.2 so that might be the issue. One way to find
out is loosen that up.
Hmmm ... using mta2 port 587 as MSA and just sent a message to
postfix-users@postfix.org and got six SSL_connect error to
mail.cloud9.net and fallback to no TLS. Same with aol.
Adding an RSA cert didn't help at all:
grep TLS /var/log/maillog \
| egrep -v 'TLS library problem|Cannot start TLS' \
| egrep -v 'lost connection' \
| awk '{print $6, $11, $12, $15;}' \
| sort | uniq -c | sort -rn \
| awk '{printf " %2d %s %s\n %s %s\n", $1, $2, $3, $4, $5;}'
3 Anonymous harbor1-em2.v6only.occnc.com[2001:470:88e6:2::230]:
TLSv1 ECDHE-RSA-AES256-SHA
2 Anonymous mail.ietf.org[4.31.198.44]:
TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
1 Anonymous researchscan319.eecs.umich.edu[141.212.122.64]:
TLSv1.2 ECDHE-RSA-AES256-SHA
1 Anonymous mail.ietf.org[2001:1900:3001:11::2c]:
TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384
Though it is possible that anything connecting *so far* (mostly
mail.ietf.org, as expected) that supports TLSv1.2 also supports ECDSA.
Not much IETF mail in the last few hours but it is a Sunday.
Curtis
