Viele STARTTLS Fehler nach Tausch des Zertifikates

Frank Fiene ffiene at veka.com
Fr Apr 29 20:38:23 CEST 2022


Oh Mann, ich Vollidiot.

Mein DANE ist natürlich jetzt broken und die besagten Anbieter testen wohl den TLSA.

:-(

Anfängerfehler.





> Am 29.04.2022 um 20:19 schrieb Frank Fiene via Postfixbuch-users <postfixbuch-users at listen.jpberlin.de>:
> 
> Moin!
> 
> Ich weiß nicht mehr weiter.
> 
> Wenn ich https://www.checktls.com/TestReceiver <https://www.checktls.com/TestReceiver> auf unserer Domain versuche, sieht alles gut aus.
> 
> [000.000]		Trying TLS on smtp1.veka.com <http://smtp1.veka.com/>[185.254.60.2:25] (10)	[000.091]		Server answered	[001.038]	<‑‑	220 smtp1.veka.com <http://smtp1.veka.com/> ESMTP Postfix (Ubuntu)	[001.038]		We are allowed to connect	[001.038]	‑‑>	EHLO www12-azure.checktls.com <http://www12-azure.checktls.com/>	[001.134]	<‑‑	250-smtp1.veka.com <http://250-smtp1.veka.com/>
> 250-PIPELINING
> 250-SIZE 65536000
> 250-ETRN
> 250-STARTTLS
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250-DSN
> 250 SMTPUTF8	[001.134]		We can use this server	[001.134]		TLS is an option on this server	[001.135]	‑‑>	STARTTLS	[001.225]	<‑‑	220 2.0.0 Ready to start TLS	[001.225]		STARTTLS command works on this server	[001.465]		Connection converted to SSL			SSLVersion in use: TLSv1_3			Cipher in use: TLS_AES_256_GCM_SHA384			Perfect Forward Secrecy: yes			Session Algorithm in use: Curve X25519 DHE(253 bits)			Certificate #1 of 3 (sent by MX):			Cert VALIDATED: ok			Cert Hostname VERIFIED (smtp1.veka.com <http://smtp1.veka.com/> = veka.com <http://veka.com/> | DNS:veka.com <http://veka.com/> | DNS:*.veka.com <http://veka.com/> | DNS:*.veka.de <http://veka.de/> | DNS:veka.de <http://veka.de/> | DNS:veka.nl <http://veka.nl/> | DNS:www.veka.nl <http://www.veka.nl/> | DNS:www.architecten.vekakozijn.nl <http://www.architecten.vekakozijn.nl/> | DNS:architecten.vekakozijn.nl <http://architecten.vekakozijn.nl/> | DNS:www.veka.ch <http://www.veka.ch/> | DNS:veka.ch <http://veka.ch/> | DNS:www.veka.it <http://www.veka.it/> | DNS:veka.it <http://veka.it/> | DNS:www.veka.be <http://www.veka.be/> | DNS:veka.be <http://veka.be/> | DNS:www.veka.cz <http://www.veka.cz/> | DNS:veka.cz <http://veka.cz/> | DNS:www.veka-ut.de <http://www.veka-ut.de/> | DNS:veka-ut.de <http://veka-ut.de/> | DNS:www.veka.com.tr <http://www.veka.com.tr/> | DNS:veka.com.tr <http://veka.com.tr/> | DNS:www.extranet.veka.fr <http://www.extranet.veka.fr/> | DNS:extranet.veka.fr <http://extranet.veka.fr/> | DNS:www.extranet.veka.es <http://www.extranet.veka.es/> | DNS:extranet.veka.es <http://extranet.veka.es/> | DNS:www.veka.pt <http://www.veka.pt/> | DNS:veka.pt <http://veka.pt/> | DNS:www.extranet.veka.pt <http://www.extranet.veka.pt/> | DNS:extranet.veka.pt <http://extranet.veka.pt/> | DNS:www.vekats.com <http://www.vekats.com/> | DNS:vekats.com <http://vekats.com/> | DNS:www.veka.sk <http://www.veka.sk/> | DNS:veka.sk <http://veka.sk/> | DNS:astaro.de01.veka.com <http://astaro.de01.veka.com/>)			Not Valid Before: Apr 28 00:00:00 2022 GMT			Not Valid After: May 20 23:59:59 2023 GMT			subject= /C=DE/ST=Nordrhein-Westfalen/L=Sendenhorst/O=Veka AG/CN=veka.com <http://veka.com/>			issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust <http://www.digicert.com/CN=GeoTrust> TLS RSA CA G1			Certificate #2 of 3 (sent by MX):			Cert VALIDATED: ok			Not Valid Before: Nov  2 12:23:37 2017 GMT			Not Valid After: Nov  2 12:23:37 2027 GMT			subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=GeoTrust <http://www.digicert.com/CN=GeoTrust> TLS RSA CA G1			issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert <http://www.digicert.com/CN=DigiCert> Global Root G2			Certificate #3 of 3 (added from CA Root Store):			Cert VALIDATED: ok			Not Valid Before: Aug  1 12:00:00 2013 GMT			Not Valid After: Jan 15 12:00:00 2038 GMT			subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert <http://www.digicert.com/CN=DigiCert> Global Root G2			issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert <http://www.digicert.com/CN=DigiCert> Global Root G2	[001.911]	~~>	EHLO www12-azure.checktls.com <http://www12-azure.checktls.com/>	[002.002]	<~~	250-smtp1.veka.com <http://250-smtp1.veka.com/>
> 250-PIPELINING
> 250-SIZE 65536000
> 250-ETRN
> 250-ENHANCEDSTATUSCODES
> 250-8BITMIME
> 250-DSN
> 250 SMTPUTF8	[002.003]		TLS successfully started on this server	[002.003]	~~>	MAIL FROM:<test at checktls.com <mailto:test at checktls.com>>	[002.093]	<~~	250 2.1.0 Ok	[002.094]		Sender is OK	[002.094]	~~>	QUIT	[002.185]	<~~	221 2.0.0 Bye
> 
> Es kommen aber diverse Mails nicht an, vor allem von Microsoft und web.de <http://web.de/>, gmx wahrscheinlich auch.
> 
> Davon hab ich einiges im Log der MXe stehen:
> 
> Apr 29 19:55:54 smtp1 postfix/smtpd[20048]: lost connection after STARTTLS from smtpout15.sweb.ru <http://smtpout15.sweb.ru/>[2a02:408:7722:1:77:222:41:79]
> Apr 29 19:56:09 smtp1 postfix/smtpd[20045]: lost connection after STARTTLS from delivery.mailspamprotection.com <http://delivery.mailspamprotection.com/>[185.56.84.23]
> Apr 29 19:56:46 smtp1 postfix/smtpd[22521]: lost connection after STARTTLS from e2i45.smtp2go.com <http://e2i45.smtp2go.com/>[103.2.140.45]
> Apr 29 19:58:50 smtp1 postfix/smtpd[23630]: lost connection after STARTTLS from server2.limesoft.com.br <http://server2.limesoft.com.br/>[67.23.255.130]
> Apr 29 20:00:16 smtp1 postfix/smtpd[27009]: lost connection after STARTTLS from mout.gmx.net <http://mout.gmx.net/>[212.227.15.15]
> Apr 29 20:00:18 smtp1 postfix/smtpd[27006]: lost connection after STARTTLS from out3-76.antispamcloud.com <http://out3-76.antispamcloud.com/>[185.201.18.76]
> Apr 29 20:03:25 smtp1 postfix/smtpd[27420]: lost connection after STARTTLS from molamola.ripe.net <http://molamola.ripe.net/>[2001:67c:2e8:11::c100:1371]
> Apr 29 20:03:25 smtp1 postfix/smtpd[30976]: lost connection after STARTTLS from molamola.ripe.net <http://molamola.ripe.net/>[193.0.19.113]
> Apr 29 20:04:06 smtp1 postfix/smtpd[30976]: lost connection after STARTTLS from 153207.onlinenow.com.ar <http://153207.onlinenow.com.ar/>[205.251.153.207]
> Apr 29 20:04:40 smtp1 postfix/smtpd[32610]: lost connection after STARTTLS from smtpout13.sweb.ru <http://smtpout13.sweb.ru/>[2a02:408:7722:1:77:222:41:57]
> Apr 29 20:04:52 smtp1 postfix/smtpd[32596]: lost connection after STARTTLS from mout.web.de <http://mout.web.de/>[212.227.17.12]
> Apr 29 20:05:03 smtp1 postfix/smtpd[32595]: lost connection after STARTTLS from nx226.node02.secure-mailgate.com <http://nx226.node02.secure-mailgate.com/>[192.162.87.226]
> Apr 29 20:05:39 smtp1 postfix/smtpd[32599]: lost connection after STARTTLS from mout.gmx.net <http://mout.gmx.net/>[212.227.17.22]
> Apr 29 20:06:32 smtp1 postfix/smtpd[32598]: lost connection after STARTTLS from nx109.node02.secure-mailgate.com <http://nx109.node02.secure-mailgate.com/>[192.162.87.109]
> Apr 29 20:07:25 smtp1 postfix/smtpd[32595]: lost connection after STARTTLS from mail.ozokgroup.com <http://mail.ozokgroup.com/>[185.111.235.60]
> Apr 29 20:09:14 smtp1 postfix/smtpd[32597]: lost connection after STARTTLS from resqmta-a1p-077438.sys.comcast.net <http://resqmta-a1p-077438.sys.comcast.net/>[96.103.146.52]
> Apr 29 20:11:08 smtp1 postfix/smtpd[6695]: lost connection after STARTTLS from delivery.mailspamprotection.com <http://delivery.mailspamprotection.com/>[185.56.85.145]
> Apr 29 20:11:30 smtp1 postfix/smtpd[6695]: lost connection after STARTTLS from mout.web.de <http://mout.web.de/>[212.227.17.11]
> Apr 29 20:12:09 smtp1 postfix/smtpd[6537]: lost connection after STARTTLS from cp-nbg1-bgho.nethinks.com <http://cp-nbg1-bgho.nethinks.com/>[212.218.193.253]
> 
> Komischerweise nichts von Microsoft.
> 
> Bin mal gespannt, ob die Mail hier wieder von der Mailingliste zu mir kommt.
> 
> 
> Viele Grüße!
> Frank
> --
> Frank Fiene
> IT-Security Manager VEKA Group
> 
> Fon: +49 2526 29-6200
> Fax: +49 2526 29-16-6200
> mailto: ffiene at veka.com <mailto:ffiene at veka.com>
> http://www.veka.com <http://www.veka.com/>
> 
> PGP-ID: 62112A51
> PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
> Threema: VZK5NDWW
> 
> VEKA AKTIENGESELLSCHAFT
> Dieselstr. 8
> 48324 Sendenhorst
> Deutschland/Germany
> http://www.veka.com
> 
> Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
> Pascal Heitmar, Josef L. Beckhoff, Elke Hartleif, Dr. Werner Schuler,
> Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Dr. Andreas W. Hillebrand
> 
> HRB 8282 AG Münster/District Court of Münster
> 

Viele Grüße!
i.A. Frank Fiene
--
Frank Fiene
IT-Security Manager VEKA Group

Fon: +49 2526 29-6200
Fax: +49 2526 29-16-6200
mailto: ffiene at veka.com
http://www.veka.com

PGP-ID: 62112A51
PGP-Fingerprint: 7E12 D61B 40F0 212D 5A55 765D 2A3B B29B 6211 2A51
Threema: VZK5NDWW

VEKA AKTIENGESELLSCHAFT
Dieselstr. 8
48324 Sendenhorst
Deutschland/Germany
http://www.veka.com

Vorstand/Executive Board: Andreas Hartleif (Vorsitzender/CEO),
Pascal Heitmar, Josef L. Beckhoff, Elke Hartleif, Dr. Werner Schuler,
Vorsitzender des Aufsichtsrates/Chairman of Supervisory Board: Dr. Andreas W. Hillebrand

HRB 8282 AG Münster/District Court of Münster

-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20220429/758d5538/attachment-0001.htm>
-------------- nächster Teil --------------
Ein Dateianhang mit Binärdaten wurde abgetrennt...
Dateiname   : signature.asc
Dateityp    : application/pgp-signature
Dateigröße  : 833 bytes
Beschreibung: Message signed with OpenPGP
URL         : <https://listi.jpberlin.de/pipermail/postfixbuch-users/attachments/20220429/758d5538/attachment-0001.asc>


Mehr Informationen über die Mailingliste Postfixbuch-users