The negotiation of STARTTLS is done in clear, so a packet capture will tell you where the problem is... Wireshark usually explains well what options are in the packets...
Often, it is a problem of finding an acceptable cypher to both parties... Finally, make sure your firewall is not messing up with SMTP packets... On Mon, Jan 9, 2017 at 4:21 AM, Robert Mueller <r...@fastmail.fm> wrote: > > > We've suddenly had a couple of reports from users about people sending > > to them (e.g. sending from a remote service to our servers) failing and > > bouncing with the error message: > > > > Certificate rejected over TLS. (unknown protocol) > > Just to update with more information. > > So it turns out we'd actually encountered this problem before (Oct > 2015), and had put a work around in place at the time. It appears that > us.af.mil servers were having problems connecting to our postfix > instances and at the time couldn't work out what the obvious reason was > so I had added this to our postfix config. > > main.cf > ... > # Disable starttls for some problematic hosts > smtpd_discard_ehlo_keyword_address_maps = > cidr:/etc/postfix/access_client-helo_keyword.cidr > > access_client-helo_keyword.cidr > # us.af.mil has TLS problems. IPs taken from SPF record (e.g. dig > us.af.mil TXT) > 132.3.0.0/16 starttls > ... > 131.15.70.0/24 starttls > > It appears recently they must have added additional servers, since their > SPF records have changed. Adding these: > > +131.9.253.0/24 starttls > +131.27.1.0/24 starttls > > Fixed the problem. > > Ideally I'd like to actually work out what's causing the sending servers > to fail with our TLS configuration, but it's a bit of work I haven't had > time for, thus this work around for now. > > -- > Rob Mueller > r...@fastmail.fm > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop