On 2020-07-27 13:49, Sven Hartge wrote:
Does your MTA present a client certificate? Maybe buxtehude does not like that?
Yes, it has a certificate. Whether buxtehude likes it I cannot say,
but it looks OK to me. Its a wildcard certificate, though:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
0b:4b:72:01:12:76:76:75:a8:ec:10:0d:11:36:7b:f8
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA
Validity
Not Before: Jul 9 00:00:00 2020 GMT
Not After : Sep 8 12:00:00 2022 GMT
Subject: C=DE, ST=Nordrhein-Westfalen, L=Aachen, O=aixigo AG, OU=Internet, CN=*.aixigo.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:c7:43:b9:e8:1b:5b:2c:b0:a8:26:05:d3:9f:06:
:
:
47:58:c2:17:be:c9:d8:26:7a:4b:45:d6:df:19:cb:
50:79
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2
X509v3 Subject Key Identifier:
F7:5D:C6:13:97:9B:F8:D4:49:9E:EC:36:E1:B3:26:C2:12:BD:D2:8C
X509v3 Subject Alternative Name:
DNS:*.aixigo.de, DNS:aixigo.de, DNS:mail.aixigo.de
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 CRL Distribution Points:
:
:
BTW, the problem showed up first on June 17th.
When diagnosing SSL errors I also find it helpful to wireshark the connection to see which side exactly triggers the SSL Alert. That may help highlight the culprit here.
See attachment. AFAICT this is all encrypted. Regards Harri
Attachment:
buxtehude.debian.org.pcap
Description: application/vnd.tcpdump.pcap