Hello Patrick,
Patrick Domack wrote:
Looks like two different issues.
The certificate name on smtp3.strotmann.de doesn't match, it is mail.tidelock.de instead.
Yes, true, but that should not be an issue when using DANE-EE(3)
From https://tools.ietf.org/html/rfc7671#section-5.1
In particular, the binding of the server public key to its name is based entirely on the TLSA record association. The server MUST be considered authenticated even if none of the names in the certificate match the client's reference identity for the server.
When using smtp2.strotmann.de, the TLS/DANE part works fine, but after this, and you attempt to send an email, it fails. posttls-finger: Verified TLS connection established to smtp2.strotmann.de[5.45.109.212]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) posttls-finger: > EHLO mx3.grsi.com posttls-finger: < 500 5.5.1 Command unrecognized posttls-finger: EHLO rejected: 500 5.5.1 Command unrecognized posttls-finger: > QUIT
I am not sure what is talking here, but it's not postfix and it's not allowing the ehlo to be processed.
This is OpenBSDs "spamd" intercepting. I need to check why it is intercepting here, and not transparent piping towards the Postfix.
Thanks for the pointers, I will check that.
-- Carsten