Re: embarrassing mail problem
howdy Steve... on newer versions of openBSD open SMTPD legacy tls versions / ciphers are disabled by default... there is an option to allow legact tls versions ( i cant remember the option off hand but man smtpd.conf and search for tls you should find it handy enough...( this caught me out on an upgrade to 7.0 btw mxtoolbox.com has some useful tests that could help you diagnose mail flow issues... DMARC + DKIM would be worth looking at... also check the spamhaus PBL... if your isp suddenly added their subscriber ip ranges to the PBL this could negatively impact you if your mail server ip is in the ranges the ISP included in Spamhaus Policy Block List... hope this helps On Wed 5 Oct 2022, 23:07 Steve Fairhead, wrote: > I've searched and failed, and I realise I'm going to show my total > ignorance by not having found an answer (and no, I've not been keeping > up these last few years - mea culpa - demanding day-job). But - I'd be > grateful for any (gentle or otherwise) cluebats. > > I have several OpenBSD email servers, some elderly (Sendmail) and some > brand-spanking new (smtpd). Recently I've noticed that some (of both > kinds) are failing to deliver mail to some major UK ISPs. (Mostly > domestic; business ISPs not so much.) > > For Sendmail, the error is "TLS handshake failed"; for smtpd, it's > "Network error on destination MXs". > > I do have SPF etc setup; thought that might be it, but no. I've read > that some ISPs have closed port 25. I presume that's relevant, but I > simply don't know. > > As I said, all cluebats gratefully (and probably painfully) accepted. > > Steve > > -- > > -- >Steve Fairhead > email: st...@fivetrees.com > -- > >
Re: embarrassing mail problem
On Wed, Oct 05, 2022 at 10:04:36PM +0100, Steve Fairhead wrote: > For Sendmail, the error is "TLS handshake failed"; for smtpd, it's > "Network error on destination MXs". one "fix" would be to disable TLS for the domains in question, which at least would let the mail go through until the encryption can be set aright, perhaps with an access map entry along the lines of Try_TLS:badhost.example.com NO
Re: embarrassing mail problem
On 2022-10-05, Steve Fairhead wrote: > I have several OpenBSD email servers, some elderly (Sendmail) and some > brand-spanking new (smtpd). Recently I've noticed that some (of both > kinds) are failing to deliver mail to some major UK ISPs. (Mostly > domestic; business ISPs not so much.) > > For Sendmail, the error is "TLS handshake failed"; for smtpd, it's > "Network error on destination MXs". Can you show some example servers that are having the problem? Has anything changed network-wise on your side that might coincide with this breaking? > I do have SPF etc setup; thought that might be it, but no. I've read > that some ISPs have closed port 25. I presume that's relevant, but I > simply don't know. Delivery to MXes is done on port 25 so nobody is closing that on the server side. Some access ISPs may filter port 25 (and if so, may or may not have a way to unblock it) but that would usually block everything on port 25, not leave some working. Shot in the dark: you could try lowering MTU as a test. -- Please keep replies on the mailing list.
Re: embarrassing mail problem
On 10/5/2022 5:04 PM, Steve Fairhead wrote: I have several OpenBSD email servers, some elderly (Sendmail) and some brand-spanking new (smtpd). Recently I've noticed that some (of both kinds) are failing to deliver mail to some major UK ISPs. (Mostly domestic; business ISPs not so much.) For Sendmail, the error is "TLS handshake failed"; for smtpd, it's "Network error on destination MXs". "TLS handshake failed" usually means a TLS cipher mismatch, but maybe they're requiring a valid public certificate. You can also use testssl.sh to see what ciphers they're actually using. Check the logs and do a tcpdump of one of the failed connections. One of those should tell you directly what's wrong.
