[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: tlsa for smtp to @bugs.debian.org

It turned out that buxtehude's exim doesn't like the (cacert-signed,
wildcard) cert my box offers when sending mail.

Blocking that allowed the TLS negotiation to complete, resulting in:

  Verified TLS connection established to
    TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)

Most MXs, including the MX for @lists.deb, accept the cert and add a
header like:

 Received: from ore.jhcloos.com (ore.jhcloos.com [IPv6:2604:2880::b24d:a297])
  (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
  (Client CN "*.jhcloos.com", Issuer "CA Cert Signing Authority" (not verified))
  by bendel.debian.org (Postfix) with ESMTPS id 026175B
  for <debian-devel@lists.debian.org>; Thu, 12 Sep 2013 00:15:39 +0000 (UTC)

Some verify it.

Buxtehude is the first so far to drop the socket as soon as it sees it.

James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Reply to: