Shawn Heisey:
> If the way I got the total counts is valid, then most of the connections
> are NOT using TLS.? I wonder how many of those are using plaintext
> because my cert is 4096 bit and their encryption library cannot use it.?
Look for the 'disconnect' logfile record, it will report if starttls
was used, and if it was successful.
A recent example:
Sep 27 13:06:35 spike postfix/smtpd[78883]: disconnect from
m227-25.mailgun.net[159.135.227.25] ehlo=1 starttls=0/1 commands=1/2
Sep 27 13:07:36 spike postfix/smtpd[78883]: disconnect from
m227-25.mailgun.net[159.135.227.25] ehlo=2 starttls=1 mail=1 rcpt=1 data=1
commands=6
Their connections seem to come in pairs: the first one fails with
an SSL_accept error, then they reconnect immediately and succeed
with
TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
I guess that they object to something about my TLS default settings
or my self-signed certificate.
Wietse
