Re: tlsa for smtp to @bugs.debian.org

To: debian-devel@lists.debian.org
Subject: Re: tlsa for smtp to @bugs.debian.org
From: James Cloos <cloos@jhcloos.com>
Date: Thu, 12 Sep 2013 02:20:18 -0400
Message-id: <[🔎] m3bo3y5zno.fsf@carbon.jhcloos.org>
In-reply-to: <[🔎] m3hadq7v5s.fsf@carbon.jhcloos.org> (James Cloos's message of "Wed, 11 Sep 2013 20:14:30 -0400")
References: <[🔎] m3hadq7v5s.fsf@carbon.jhcloos.org>

It turned out that buxtehude's exim doesn't like the (cacert-signed,
wildcard) cert my box offers when sending mail.

Blocking that allowed the TLS negotiation to complete, resulting in:

  Verified TLS connection established to
    buxtehude.debian.org[140.211.166.26]:25:
    TLSv1.2 with cipher DHE-RSA-AES256-SHA256 (256/256 bits)

Most MXs, including the MX for @lists.deb, accept the cert and add a
header like:

 Received: from ore.jhcloos.com (ore.jhcloos.com [IPv6:2604:2880::b24d:a297])
  (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
  (Client CN "*.jhcloos.com", Issuer "CA Cert Signing Authority" (not verified))
  by bendel.debian.org (Postfix) with ESMTPS id 026175B
  for <debian-devel@lists.debian.org>; Thu, 12 Sep 2013 00:15:39 +0000 (UTC)

Some verify it.

Buxtehude is the first so far to drop the socket as soon as it sees it.

-JimC
-- 
James Cloos <cloos@jhcloos.com>         OpenPGP: 1024D/ED7DAEA6

Reply to:

Follow-Ups:
- Re: tlsa for smtp to @bugs.debian.org
  - From: Tollef Fog Heen <tfheen@err.no>

References:
- tlsa for smtp to @bugs.debian.org
  - From: James Cloos <cloos@jhcloos.com>

Prev by Date: tlsa for smtp to @bugs.debian.org
Next by Date: Re: tlsa for smtp to @bugs.debian.org
Previous by thread: tlsa for smtp to @bugs.debian.org
Next by thread: Re: tlsa for smtp to @bugs.debian.org
Index(es):
- Date
- Thread