On Thu, Jun 20, 2019 at 12:43:22PM +0200, David López wrote:
> > > postfix/smtp[]: : to=<em...@domain.com>,
> > > relay=MXhost[xxx.xxx.xxx.xxx]:25, delay=2190,
> > > delays=2186/0.03/3.9/0.13,
> > > dsn=4.7.0, status=deferred (host MXdomain[xxx.xxx.xxx.xxx] said: 403
> > > 4.7.0 not authenticated (in reply to MAIL FROM command))
> >
> > The error message is from the server, which expects your client to
> > present authentication credentials. Which ones depends on what
> > the server operator documents as the expected means for clients
> > to prove they are one of the ones authorized to access the server.
>
> I get a log server from the other side.
Is there any documentation that explains what the remote server
expects as client credentials? Have you asked the server operator
to clarify?
> STARTTLS=server, relay=DOMAIN [xxx.xxx.xxx.xxx], version=TLSv1/SSLv3,
> verify=NO, cipher=ECDHE-RSA-AES256-SHA, bits=256/256
This is not useful. You're still tilting at the TLS windmill, but
there's no information to suggest that TLS is relevant.
> So maybe the problem is here. It expects connect from fqdn and it
> arrives from domain? Is strange because I see in the handshake is
> showed with fqdn, but connects from domain.
This is irrelevant.
> I checked mydomain, smtpbanner, myhostname and I think is ok but still
> get deferred while sending.
The server's error message said the client is *authenticated*, don't
waste your time on unrelated issues.
On Fri, Jun 21, 2019 at 10:29:22PM +0200, David López wrote:
> It seems from the other side logs that the problem is that "No certificate
> was presented."
That's normal. Don't waste your time on distractions. There is
ONLY ONE relevant question, namely:
* What type of client authentication does the remote server
expect and accept?
Everything else is a distraction. Now it is possible (though very
much not common) that a client certificate is expected, but then
there would need to be some sort of published process for the client
to enroll for one issued by the server operator, or provide the
operator with an existing one they can register.
The server is access controlled, you can only use it with the
credentials that the server operator documents as acceptable.
--
Viktor.
