* Stefan Bauer <cubew...@googlemail.com>:
> Dear Users,
>
> we trying to deliver mail to remote party with enforced encrcyption.
>
> 63FFB80805: TLS is required, but was not offered by host mx0.esb.de
> [194.77.230.138]
>
> But looks like, remote device is announcing TLS and can handle it:
>
> # telnet mx0.esb.de 25
> Trying 194.77.230.138...
> Connected to mx0.esb.de.
> Escape character is '^]'.
> 220 ****************
> ehlo test
> 250-mx0.esb.de
> 250-8BITMIME
> 250-SIZE 52428800
> 250 STARTTLS
> starttls
> 220 Go ahead with TLS
>
> But the minus "-" is missing in STARTTLS correct?
Look into your log and you will very likely find something that says:
Cisco PIX enabled?
> Is there a known workaround available?
>
> Maybe some rewrite-voodoo?
Something – quite likely a Cisco ASA/PIX – manipulates the SMTP server banner
and the STARTTLS capability announcement. This is what it should look like:
220 mail.sys4.de ESMTP Submission
EHLO foo.sys4.de
250-mail.sys4.de
250-PIPELINING
250-SIZE 40960000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
QUIT
The $something removes the "ESMTP" in den server banner. Without the string
"ESMTP" the mail client (read: Your Postfix smtp client) cannot know the
remote server supports any of the Enhanced SMTP features, which includes
STARTTLS. It *must* assume the server speak rudimentary SMTP only.
Thus it uses rudimentary SMTP only, which excludes STARTTLS. And that's why it
fails in the first. The missing minus "-" just adds to the dilemma.
p@rick
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
