Thanks Viktor and Jeremy for your assistance! So Victor just told, that the SNI problem is related to the crypto fail problem.
So for Jeremys questions: "exim -bP transport remote_smtp | grep dane" responds with: dane_require_tls_ciphers = hosts_require_dane = hosts_try_dane = * which should be the lowest possible configuration, as I tried to change as less than possible. and there is no mitm or anything else. I captured with tcpdump on the outgoing interface and found no SNI in the Client Helo There is also nothing like appArmor or SElinux, no docker or anything like that. Its a core virtual server with its own ip-address, no outbound firewall, nothing. I am learning at least, that this Mail-Test seems to earn the label TEST, as I got top-level scorings for my setup from all the usual culprits out there. So my result so far looks like: The connection problem seems to be somewhere in GnuTLS, as exim justs aks GNU-TLS for verification and does no own decisions, based on GNU-TLS feedback The problem is triggered by the fact, that my exim is not using SNI (neither with OpenSSL nor with GNU-TLS). As I am using in the test environment the default debian configuration, just with the minimal modifications to make DANE and DKIM work. regards Wolfgang -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/