On May 11, 2020, at 11:19 PM, Alexander Vasarab
<alexander+p...@vasaconsulting.com> wrote:
> I've captured the relevant conversation. In doing so, it became clear to
> me that when the message succeeds after immediately trying again, it
> does so because the subsequent connection does not try to use TLS. So
> the pattern is: attempt TLS connection, fail, attempt plaintext
> connection, succeed. This was alarming to realize.
>
> From the pcap, in brief: I see the connection, STARTTLS, TLSv1.2
> handshake succeed, "application data" packets being exchanged using
> TLSv1.2. Finally, my mail server sends two TCP packets with the RST flag
> set. Between those two packets is an 'encrypted alert' packet from the
> foreign mailserver.
The encrypted alert is almost certain to be a close_notify. But you're
saying that your server sends a RST first? That's surprising, please
post the PCAP file (just the one session), and the associated Postfix
logs.
>
> I'm not certain on the norms of this mailing list but I can put the
> entire pcap somewhere if it would be helpful, it's 35 frames long.
Attaching it is fine, if you're willing to disclose the IP addresses and
hostnames of the two servers.
--
Viktor.
