>> Just wanted to let you know that Outlook users might run into problems >> submitting mails after Microsoft's latest Windows update. >> >> Oct 15 14:49:42 mx1 postfix/submission/smtpd[25067]: connect from <redacted> >> Oct 15 14:49:42 mx1 postfix/submission/smtpd[25067]: SSL_accept error from >> <redacted>: lost connection >> Oct 15 14:49:42 mx1 postfix/submission/smtpd[25067]: lost connection after >> STARTTLS from <redacted> >> >> This occurs on submission port 587 (STARTTLS) and smtps port 465 (TLS). >> >> Since deinstalling the update no submission errors have occured: >> >> - Update KB5018418 on Windows 11 (verified) >> - Update KB5018410 on Windows 10 >> >> As an alternative disabling session tickets seems to help: > > What does the Postfix server log for successful TLS handshakes with > updated clients when session tickets are disabled? Something like > either of: > > Anonymous TLS connection established from ...: TLSv1.2 with cipher > ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) > Anonymous TLS connection established from ...: TLSv1.3 with cipher > TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature > RSA-PSS (2048 bits) server-digest SHA256
With session tickets disabled it logs: Anonymous TLS connection established from <redacted>: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits) This server does not support TLS 1.3 yet and TLS 1.2 is the only version currently allowed for submission. > Any chance you could provide (off-list if you prefer) a PCAP recording > of a good and a problem TLS session? I'll send it off-list. Best regards Gerald
