Re: TLS errors with GMX/web.de

2013-08-26 Thread Viktor Dukhovni
On Mon, Aug 26, 2013 at 12:04:28PM +0200, Sebastian Wiesinger wrote: > > It may be overkill, but it should work. I am afraid the best path > > forward is for GMX to debug this with their client software. > > Yeah I'm not holding my breath for that. Send them (postmaster@) a pointer to this thre

Re: TLS errors with GMX/web.de

2013-08-26 Thread Sebastian Wiesinger
* Viktor Dukhovni [2013-08-24 05:27]: > > > I just did, here is the PCAP: > > > > http://www.karotte.org/smtp-gmx.pcap > > The client sends an "internal error" alert. It is not clear what > problem it is encountering. The server elects: > > Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_

Re: TLS errors with GMX/web.de

2013-08-23 Thread Viktor Dukhovni
On Wed, Aug 21, 2013 at 10:44:40PM +0200, Sebastian Wiesinger wrote: > I just did, here is the PCAP: > > http://www.karotte.org/smtp-gmx.pcap The client sends an "internal error" alert. It is not clear what problem it is encountering. The server elects: Cipher Suite: TLS_ECDHE_ECDSA_WITH_

Re: TLS errors with GMX/web.de

2013-08-21 Thread Sebastian Wiesinger
* Viktor Dukhovni [2013-08-20 16:51]: > > I found the problem... In addition to my normal certificate, I had an > > EC certificate. > > > > smtpd_tls_eccert_file=/etc/postfix/certs/cacert-karotte-ec.crt > > Though I think OpenSSL will generally detect attempts to configure > a public key (certif

Re: TLS errors with GMX/web.de

2013-08-20 Thread Viktor Dukhovni
On Tue, Aug 20, 2013 at 01:27:01PM +0200, Sebastian Wiesinger wrote: > I found the problem... In addition to my normal certificate, I had an > EC certificate. > > smtpd_tls_eccert_file=/etc/postfix/certs/cacert-karotte-ec.crt Though I think OpenSSL will generally detect attempts to configure a p

Re: TLS errors with GMX/web.de

2013-08-20 Thread Sebastian Wiesinger
* DTNX Postmaster [2013-08-20 12:57]: > Self-signed, 2048 bits certificate from our own root. Picks the same cipher > and TLS version as in Heiko's example, it seems. Perhaps it's your > certificate, perhaps your Postfix settings? No odd overrides for the defaults > anywhere, forced cipher suit

Re: TLS errors with GMX/web.de

2013-08-20 Thread DTNX Postmaster
On Aug 20, 2013, at 11:48, Sebastian Wiesinger wrote: > GMX and web.de started an initiative for secure E-Mail made in > Germany... they turned TLS on. > > But in addition to that bold move the did something else that causes > the following errors when they try to send mail to my postfix: > >

Re: TLS errors with GMX/web.de

2013-08-20 Thread Heiko Wundram
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 20.08.2013 12:12, schrieb Sebastian Wiesinger: > * Heiko Wundram [2013-08-20 12:09]: >> Still delivers fine for me (and my mail-server) running Postfix >> 2.10.1: >> >> Received: from mout.web.de (mout.web.de [212.227.15.3]) (using >> TLSv1.2 wi

Re: TLS errors with GMX/web.de

2013-08-20 Thread Sebastian Wiesinger
* Heiko Wundram [2013-08-20 12:09]: > Still delivers fine for me (and my mail-server) running Postfix 2.10.1: > > Received: from mout.web.de (mout.web.de [212.227.15.3]) > (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) > (No client certificate requested) > by ma

Re: TLS errors with GMX/web.de

2013-08-20 Thread Heiko Wundram
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 20.08.2013 11:48, schrieb Sebastian Wiesinger: > This error ONLY occurs with their servers. My question is if > anyone has an idea what could cause this error. My first guess is > that they check certificates for validity and I only have an CACert >