On 23/09/2020 18:16, Jeremy Harris via Exim-users wrote:
On 23/09/2020 16:59, Bill Cole via Exim-users wrote:
1. You don't allow any TLS versions below 1.2. While that may seem to be
a safety measure, it actually can cause problems because a client that
does not support v1.2 or v1.3 can only resort to sending in clear text.
2. Your server is soliciting client certificates and sending a list of
126 acceptable CAs. Some clients may interpret the solicitation of
client certs as a demand for a client cert, and when they cannot match a
CA on that list, will give up. Unless you are using client certs for
authentication (generally not useful on port 25) there's no reason to
solicit them.
No, neither of those - the GMX end is not even soliciting STARTTLS.
It doesn't get as far as trying a TLS handshake.
My only guess is to try disabling CHUNKING or PRDR advertisement, to see
if one of those is confusing them.
Disable chunking, enable TLS v1.1 and are you using RSA or ECC
certificates at your end?
I found that the world+dog (facebook, google, gmail, hotmail, amazon,
apple ...) would talk to my relay servers with Sec-p521 ECC *except*
Microsoft... for some reason Microsoft will only talk to mail servers if
they are using RSA certificates - dumb if you ask me.
Mike
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
