On Wed, Aug 16, 2023 at 06:22:28PM -0400, pgnd via Postfix-users wrote: > not exactly the same issue to my read, but there may be more to it?
As suspected, the OP has an incomplete DANE TLSA RRset that fails to match the system's RSA certificate (the additional ECDSA certifcate does match, but Microsoft's outbound servers negotiate RSA). See: https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://mail.sys4.de/pipermail/dane-users/2017-August/000416.html So far, the pattern of Microsoft's outbound systems disconnecting immediately after a completed TLS handshake strongly correlates with a broken TLSA setup. In this case, one that would not be found by the DANE survey, because the code currently prefers ECDSA, but I should perhaps implement a random client-side preference to have a better chance of detecting this issue (or just prefer RSA over ECDSA on odd day numbers since the epoch). That would still fail to find problem systems that ignore the client preference order and only expose the second algorithm's certificate when it is the only one supported by the client. Problem found via: danesmtp () { local host=$1; shift; local opts=(-starttls smtp -connect "$host:25" -verify 9 -verify_return_error -dane_ee_no_namechecks -dane_tlsa_domain "$host"); set -- $(dig +short +nosplit -t tlsa "_25._tcp.$host" | egrep -i '^[23] [01] [012] [0-9a-f]+$'); while [ $# -ge 4 ]; do opts=("${opts[@]}" "-dane_tlsa_rrdata" "$1 $2 $3 $4"); shift 4; done; ( sleep 1; printf "QUIT\r\n" ) | openssl s_client -tls1_2 -cipher 'aRSA:aECDSA' "${opts[@]}" } Possible choices for "-cipher" are: - aRSA:aECDSA - aECDSA:aRSA - aECDSA - aRSA If any fail with a certificate verification problem due to a mismatched TLSA record (rather than failure to find a common ciphersuite), you have a TLSA misconfiguration. Always simplest to stick to just one widely supported algorithm, for now, in most cases a vanilla RSA cert with a 2048-bit key. Though perhaps all SMTP clients capable of doing DANE are sufficiently bleeding edge to also be expected to support ECDSA (P256). -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org