On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote: > On 13/6/2022 4:31 pm, Wietse Venema wrote: > > > Delete the TLS protocol and cipher crap, and see if that solves > > the problem. > > I am sad to report, even after removing the bad configs, the ariba > emails are still not coming in. > > Here are the logs. Is there any other thing I can do? > > -------------- start --------------- > Jun 15 01:39:51 mail postfix/smtpd[605304]: connect from > ansmtp.ariba.com[216.109.104.12] > Jun 15 01:39:51 mail postfix/smtpd[605304]: discarding EHLO keywords: > CHUNKING > Jun 15 01:39:52 mail postfix/smtpd[605304]: SSL_accept error from > ansmtp.ariba.com[216.109.104.12]: Connection reset by peer > Jun 15 01:39:52 mail postfix/smtpd[605304]: lost connection after > STARTTLS from ansmtp.ariba.com[216.109.104.12] > Jun 15 01:39:52 mail postfix/smtpd[605304]: disconnect from > ansmtp.ariba.com[216.109.104.12] ehlo=1 starttls=0/1 commands=1/2
Two comments on your server setup: * The server certificate is 4096 bit RSA. This is needlessly turgid. The issuing CA is 2048 bits, there is little to gain from a stronger EE key. Some peer libraries may not support keys of this size. * The "Let's Encrypt CA" chain is configured for compatibility with legacy Android systems that trust the expired "DST" root CA: subject=CN = prometheus.mindmedia.com.sg issuer=C = US, O = Let's Encrypt, CN = R3 subject=C = US, O = Let's Encrypt, CN = R3 issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1 subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3 You may have better luck by configuring "certbot" or similar to build a chain that avoids the ISRG -> DST cross cert. -- Viktor.