BTW- my mta2 now has RSA and ECDSA keys. mta2 and mta3 have the CA cert concatonated with the server cert since I use 2 0 1 TLSA records. There is no intermediate (I'd just replace the CA and change all of the TLSA records if the CA key was compromised).
Currently MX are mta3 and mta1 for most domains, mta2 and mta1 for two domains: one unused for mail so should only get spam; the other used for mail from IETF mailing list only (and perhaps if someone follows up with a reply to me - haven't posted in a while so unlikely). I'll see what effect these changes have on the list of hosts that fail with ECDSA only. Fallback to secondary MX mta1 (no opportunistic TLS at all on mta1) seems to only work for comcast.net mail servers. grep 'SSL_accept error' /var/log/maillog | awk '{print $9;}' | sort | uniq -c | sort -n 1 206-51-225-153.static.hvvc.us[206.51.225.153]: 1 camomile.cloud9.net[168.100.1.3]: 1 english-breakfast.cloud9.net[168.100.1.7]: 1 mail.bgs-solutions.com.ua[91.239.80.59]: 1 omr-a002e.mx.aol.com[204.29.186.56]: 1 resqmta-ch2-05v.sys.comcast.net[2001:558:fe21:29:69:252:207:37]: 1 resqmta-ch2-05v.sys.comcast.net[69.252.207.37]: 1 server.luingemedia.com[2a00:1e28:3:1653::1]: 1 smtp.cnp.com.hk[118.140.129.18]: 1 smtp.sinos.net[200.160.158.145]: 1 www.flixs-system.net[119.18.217.142]: 2 78.108.233.62.as20860.net[62.233.108.78]: 2 research-scan.cis.upenn.edu[158.130.6.191]: 2 resqmta-ch2-04v.sys.comcast.net[69.252.207.36]: 3 unknown[118.140.129.18]: 4 resqmta-ch2-04v.sys.comcast.net[2001:558:fe21:29:69:252:207:36]: 6 antispam.ma.gov.br[201.18.153.129]: 8 mail3.seati.ma.gov.br[201.18.153.129]: 11 s330.xrea.com[203.189.105.152]: 13 resqmta-ch2-09v.sys.comcast.net[69.252.207.41]: 14 mailhost.hoaglandlongo.com[65.51.230.181]: 20 unknown[101.231.51.114]: 20 www2816m.sakura.ne.jp[49.212.65.16]: 26 resqmta-ch2-09v.sys.comcast.net[2001:558:fe21:29:69:252:207:41]: 101 rrcs-74-219-137-204.central.biz.rr.com[74.219.137.204]: Some of the one failure ones above retried without TLS. Some delivered spam and were bounced. research-scan.cis.upenn.edu connected to all my MX, some successful, but didn't deliver any mail. Most of the high repeats are likely spammers. biz.rr.com is time warner business cable who does not retry with no TLS or fallback to secondary MX but are quite persistant (no loss for me - little doubt this is a spammer). Also note that comcast.net does not fall back to no-TLS but it does fall back to the secondary MX. On the secondary it seems that I got 13 log entries with "connect from resqmta-ch2-09v.sys.comcast.net" on the secondary MX with one email delivered. All others ended in "timeout after DATA". Seems like 47 connects on mta3 and then 13 connects on mta1 to deliver one mail message. Not good. No further connects since that one mail message was delivered. mta2 only accepts TLSv1.2 so that might be the issue. One way to find out is loosen that up. Hmmm ... using mta2 port 587 as MSA and just sent a message to postfix-users@postfix.org and got six SSL_connect error to mail.cloud9.net and fallback to no TLS. Same with aol. Adding an RSA cert didn't help at all: grep TLS /var/log/maillog \ | egrep -v 'TLS library problem|Cannot start TLS' \ | egrep -v 'lost connection' \ | awk '{print $6, $11, $12, $15;}' \ | sort | uniq -c | sort -rn \ | awk '{printf " %2d %s %s\n %s %s\n", $1, $2, $3, $4, $5;}' 3 Anonymous harbor1-em2.v6only.occnc.com[2001:470:88e6:2::230]: TLSv1 ECDHE-RSA-AES256-SHA 2 Anonymous mail.ietf.org[4.31.198.44]: TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 1 Anonymous researchscan319.eecs.umich.edu[141.212.122.64]: TLSv1.2 ECDHE-RSA-AES256-SHA 1 Anonymous mail.ietf.org[2001:1900:3001:11::2c]: TLSv1.2 ECDHE-ECDSA-AES256-GCM-SHA384 Though it is possible that anything connecting *so far* (mostly mail.ietf.org, as expected) that supports TLSv1.2 also supports ECDSA. Not much IETF mail in the last few hours but it is a Sunday. Curtis