On 2020-07-27 13:49, Sven Hartge wrote:
Does your MTA present a client certificate? Maybe buxtehude does not like that?
Yes, it has a certificate. Whether buxtehude likes it I cannot say, but it looks OK to me. Its a wildcard certificate, though: Certificate: Data: Version: 3 (0x2) Serial Number: 0b:4b:72:01:12:76:76:75:a8:ec:10:0d:11:36:7b:f8 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA Validity Not Before: Jul 9 00:00:00 2020 GMT Not After : Sep 8 12:00:00 2022 GMT Subject: C=DE, ST=Nordrhein-Westfalen, L=Aachen, O=aixigo AG, OU=Internet, CN=*.aixigo.de Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:c7:43:b9:e8:1b:5b:2c:b0:a8:26:05:d3:9f:06: : : 47:58:c2:17:be:c9:d8:26:7a:4b:45:d6:df:19:cb: 50:79 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:0F:80:61:1C:82:31:61:D5:2F:28:E7:8D:46:38:B4:2C:E1:C6:D9:E2 X509v3 Subject Key Identifier: F7:5D:C6:13:97:9B:F8:D4:49:9E:EC:36:E1:B3:26:C2:12:BD:D2:8C X509v3 Subject Alternative Name: DNS:*.aixigo.de, DNS:aixigo.de, DNS:mail.aixigo.de X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 CRL Distribution Points: : : BTW, the problem showed up first on June 17th.
When diagnosing SSL errors I also find it helpful to wireshark the connection to see which side exactly triggers the SSL Alert. That may help highlight the culprit here.
See attachment. AFAICT this is all encrypted. Regards Harri
Attachment:
buxtehude.debian.org.pcap
Description: application/vnd.tcpdump.pcap