On Wed, Jun 15, 2022 at 12:07:25AM +0530, P V Anthony wrote:
> On 13/6/2022 4:31 pm, Wietse Venema wrote:
>
> > Delete the TLS protocol and cipher crap, and see if that solves
> > the problem.
>
> I am sad to report, even after removing the bad configs, the ariba
> emails are still not coming in.
>
> Here are the logs. Is there any other thing I can do?
>
> -------------- start ---------------
> Jun 15 01:39:51 mail postfix/smtpd[605304]: connect from
> ansmtp.ariba.com[216.109.104.12]
> Jun 15 01:39:51 mail postfix/smtpd[605304]: discarding EHLO keywords:
> CHUNKING
> Jun 15 01:39:52 mail postfix/smtpd[605304]: SSL_accept error from
> ansmtp.ariba.com[216.109.104.12]: Connection reset by peer
> Jun 15 01:39:52 mail postfix/smtpd[605304]: lost connection after
> STARTTLS from ansmtp.ariba.com[216.109.104.12]
> Jun 15 01:39:52 mail postfix/smtpd[605304]: disconnect from
> ansmtp.ariba.com[216.109.104.12] ehlo=1 starttls=0/1 commands=1/2
Two comments on your server setup:
* The server certificate is 4096 bit RSA. This is needlessly turgid.
The issuing CA is 2048 bits, there is little to gain from a
stronger EE key. Some peer libraries may not support keys of this
size.
* The "Let's Encrypt CA" chain is configured for compatibility with
legacy Android systems that trust the expired "DST" root CA:
subject=CN = prometheus.mindmedia.com.sg
issuer=C = US, O = Let's Encrypt, CN = R3
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
You may have better luck by configuring "certbot" or similar to
build a chain that avoids the ISRG -> DST cross cert.
--
Viktor.
