Linux -- Deutschsprachige Diskussion rund um GNU/Linux

Sender	Message	Time
21 Oct 2021
SilentStalker	Kein exklusiver Zugriff auf die Grafikressourcen.	19:20:39
alex	Moin. Ich habe gerade ein kleines Problemchen mit der Kommunikation meines eMail-Servers (azha.de) <-> gmx. Ich bekomme hier öfter einen 'SSL_connect error to mx01.emig.gmx.net[212.227.17.5]:25: Connection timed out' gefolgt vom 'Cannot start TLS: handshake failure'	19:36:43
SilentStalker	Welche Cipher Suites werden bei der Server-Server-Kommunikation verwendet? Wird TLS bei der Kommunikation mit anderen Servern erzwungen?	19:40:04
alex	jetzt kann ich mit 'https://de.ssl-tools.net/mailservers/azha.de' ein ähnliches Verhalten nachstellen: Verbindung wird geöffnet -> EHELO -> StartTLS -> Client Hello -> Server Hello -> Verbindung verreckt mit einem RST vom der Gegenseite.	19:40:33
alex	TLS-Config auf meiner Seite: smtp_use_tls = yes smtpd_tls_security_level=may smtpd_tls_eecdh_grade = ultra smtpd_tls_mandatory_ciphers=high smtp_tls_mandatory_ciphers=high smtpd_tls_ciphers=high smtp_tls_ciphers=high smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_received_header = yes tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH tls_preempt_cipherlist = yes	19:43:20
SilentStalker	Verwendest du Postfix >= 2.3?	19:49:57
alex	japp	19:50:20
SilentStalker	Dann kannst du `smtp_use_tls` durch `smtp_tls_security_level` ersetzen.	19:51:32
SilentStalker	* Dann kannst du `smtp_use_tls` durch `smtp_tls_security_level` ersetzen.	19:51:50
SilentStalker	# # - TLS CONFIGURATION - # # -- Global -- tls_ssl_options = NO_COMPRESSION #tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256 tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS tls_preempt_cipherlist = yes tls_eecdh_strong_curve = prime256v1 tls_eecdh_ultra_curve = secp384r1 # -- Outgoing connections -- smtp_tls_security_level = dane smtp_tls_policy_maps = mysql:/etc/postfix/mysql/tls_policy.cf smtp_dns_support_level = dnssec smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache #smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 # -- Incoming client connections -- smtpd_use_tls = yes #smtpd_tls_loglevel = 3 smtpd_tls_security_level = may smtpd_tls_mandatory_ciphers = high smtpd_tls_eecdh_grade = strong #smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_cert_file = /etc/ssl/smtp.example.net/fullchain.pem smtpd_tls_key_file = /etc/ssl/smtp.example.net/privkey.key smtpd_tls_CAfile = /etc/ssl/smtp.example.net/ca.pem smtpd_tls_dh1024_param_file = ${config_directory}/crypto/dh4096.pem smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_tls_auth_only = yes smtpd_tls_received_header = yes Zum Abgleich meine Konfiguration.	20:00:43
alex	danke. Mal so aus Interesse: wieviel Einträge hat die smtp_tls_policy_map in der Datenbank? Und wie wird das gepflegt?	20:05:27
SilentStalker	Momentan ein einziger Eintrag: Steam mag keine verschlüsselten Mails. Da ich so selten Einträge da einpflege werfe ich ab und an DBeaver an und pflege die Vmail-Datenbank.	20:14:48
SilentStalker	+---------+---------------------------------------------------------------------------------+------+-----+---------------------+-------+ \| Field \| Type \| Null \| Key \| Default \| Extra \| +---------+---------------------------------------------------------------------------------+------+-----+---------------------+-------+ \| domain \| varchar(255) \| NO \| PRI \| NULL \| \| \| policy \| enum('none','may','encrypt','dane','dane-only','fingerprint','verify','secure') \| NO \| \| NULL \| \| \| params \| varchar(255) \| YES \| \| NULL \| \| \| created \| datetime \| NO \| \| current_timestamp() \| \| +---------+---------------------------------------------------------------------------------+------+-----+---------------------+-------+ `user = vmail password = password hosts = localhost dbname = vmail query = SELECT policy, params FROM tlspolicies WHERE domain = '%s';`	20:16:43
quas	schlagt ihr system76 für Linux vor? Ich sehe, dass das Akku großartig wäre unter anderem.	20:25:23
22 Oct 2021
alex	Ich habe mal mit dem Postfixproblem weitergeschaut und den Loglevel erhöht. Ein Test mit `https://de.ssl-tools.net/mailservers/azha.de` schlägt jetzt besser sichtbar mit Log auf: Oct 22 11:41:39 mail postfix/smtpd[392495]: connect from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa] Oct 22 11:41:39 mail postfix/smtpd[392495]: setting up TLS connection from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa] Oct 22 11:41:39 mail postfix/smtpd[392495]: unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa]: TLS cipher list "TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-DSS-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 RSA-PSK-AES256-GCM-SHA384 DHE-PSK-AES256-GCM-SHA384 RSA-PSK-CHACHA20-POLY1305 DHE-PSK-CHACHA20-POLY1305 ECDHE-PSK-CHACHA20-POLY1305 DHE-PSK-AES256-CCM8 DHE-PSK-AES256-CCM RSA-PSK-ARIA256-GCM-SHA384 DHE-PSK-ARIA256-GCM-SHA384" Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL_accept:before SSL initialization Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL_accept:before SSL initialization Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL3 alert write:fatal:handshake failure Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL_accept:error in error Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL_accept error from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa]: -1 Oct 22 11:41:39 mail postfix/smtpd[392495]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283: Oct 22 11:41:39 mail postfix/smtpd[392495]: lost connection after STARTTLS from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa] Oct 22 11:41:39 mail postfix/smtpd[392495]: disconnect from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa] ehlo=1 starttls=0/1 commands=1/2 Mein Cipher-Konfig ist inzwischen: tls_high_cipherlist = TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-DSS-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 RSA-PSK-AES256-GCM-SHA384 DHE-PSK-AES256-GCM-SHA384 RSA-PSK-CHACHA20-POLY1305 DHE-PSK-CHACHA20-POLY1305 ECDHE-PSK-CHACHA20-POLY1305 DHE-PSK-AES256-CCM8 DHE-PSK-AES256-CCM RSA-PSK-ARIA256-GCM-SHA384 DHE-PSK-ARIA256-GCM-SHA384 -> da gibt es definitiv Überschneidungen. Was übersehe ich hier?	09:56:22
SilentStalker	Die unterstützten Cipher des Clients und deines Servers haben keine Überschneidung. Du bietest dem Client also Cipher an, welche er nicht unterstützt. `warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:`	15:53:45
SilentStalker	Das Problem kann auch auftauchen wenn man TLSv1.0 und TLSv1.1 explizit verbietet.	16:03:17
bernd	was ich persönlich für ratsam halte.	16:03:47
SilentStalker	Womit du dann beim Empfangen immer noch viele Server ausschließt.	16:04:24
bernd	jepp	16:04:39
SilentStalker	Mir persönlich ist der garantierte Empfang wichtiger als die genutzte Transportverschlüsselung.	16:05:41
bernd	ich werde niemanden daran hindern seinen provider zu wechseln, wenn der keine aktuellen chiphern benutzen will.	16:07:41
SilentStalker	Das hat sich bei den deutschen Anbietern mittlerweile stark verbessert.	16:10:04
bernd	was die frage aufwirft: weil sie mails zu oft nicht zustellen konnten? :)	16:11:04
SilentStalker	Schau dir an wie es andere machen: Google Mail ➜ testssl -t smtp aspmx.l.google.com:25 No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0.5 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1l 24 Aug 2021" [~80 ciphers] on tiebreaker:/usr/bin/openssl (built: "Aug 24 14:27:02 2021", platform: "linux-x86_64") Start 2021-10-22 18:15:22 -->> 142.251.5.27:25 (aspmx.l.google.com) <<-- Further IP addresses: 2a00:1450:400c:c07::1a rDNS (142.251.5.27): wg-in-f27.1e100.net. Service set: STARTTLS via SMTP Testing protocols via sockets SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA offered Obsolete CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA Elliptic curves offered: prime256v1 X25519 Testing server preferences Has server cipher order? yes (OK) -- only for < TLS 1.3 Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Cipher order TLSv1: ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA TLSv1.1: ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA TLSv1.2: ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA AES256-SHA DES-CBC3-SHA Testing server defaults (Server Hello) TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "key share/#51" "supported versions/#43" "extended master secret/#23" Session Ticket RFC 5077 hint 100800 seconds but: PFS requires session ticket keys to be rotated < daily ! SSL Session ID support yes Session Resumption Tickets: yes, ID resumption test failed, pls report TLS clock skew -1 sec from localtime Server Certificate #1 Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication Serial / Fingerprints 4DA318D1C174BD5C0A0000000108AD8A / SHA1 8777B282812613D66391C82FD63962DF8C4B16CA SHA256 7F68FE010D400DA8BA7700EBD0C8EB77CB7A0D5D7B8887B6DB3C51BBD7C4B118 Common Name (CN) mx.google.com subjectAltName (SAN) mx.google.com smtp.google.com aspmx.l.google.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com alt3.aspmx.l.google.com alt4.aspmx.l.google.com gmail-smtp-in.l.google.com alt1.gmail-smtp-in.l.google.com alt2.gmail-smtp-in.l.google.com alt3.gmail-smtp-in.l.google.com alt4.gmail-smtp-in.l.google.com gmr-smtp-in.l.google.com alt1.gmr-smtp-in.l.google.com alt2.gmr-smtp-in.l.google.com alt3.gmr-smtp-in.l.google.com alt4.gmr-smtp-in.l.google.com mx1.smtp.goog mx2.smtp.goog mx3.smtp.goog mx4.smtp.goog aspmx2.googlemail.com aspmx3.googlemail.com aspmx4.googlemail.com aspmx5.googlemail.com gmr-mx.google.com Issuer GTS CA 1C3 (Google Trust Services LLC from US) Trust (hostname) Ok via SAN (same w/o SNI) Chain of trust Ok EV cert (experimental) no ETS/"eTLS", visibility info not present Certificate Validity (UTC) 65 >= 60 days (2021-10-04 04:13 --> 2021-12-27 03:13) # of certificates provided 3 Certificate Revocation List http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl OCSP URI http://ocsp.pki.goog/gts1c3 OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) available - please check for match with "Issuer" above: issue=pki.goog Certificate Transparency yes (certificate extension) Server Certificate #2 Signature Algorithm SHA256 with RSA Server key size EC 256 bits Server key usage Digital Signature Server extended key usage TLS Web Server Authentication Serial / Fingerprints ACA8F4B348B968570A0000000108AD8C / SHA1 725B8BACAB5496DA22AC6BB86A63F078BCE72DF9 SHA256 585414F5D2AC0E4C1922DBA12685D52ED4959D999777E41DE3FC98237C4B1180 Common Name (CN) mx.google.com subjectAltName (SAN) mx.google.com smtp.google.com aspmx.l.google.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com alt3.aspmx.l.google.com alt4.aspmx.l.google.com gmail-smtp-in.l.google.com alt1.gmail-smtp-in.l.google.com alt2.gmail-smtp-in.l.google.com alt3.gmail-smtp-in.l.google.com alt4.gmail-smtp-in.l.google.com gmr-smtp-in.l.google.com alt1.gmr-smtp-in.l.google.com alt2.gmr-smtp-in.l.google.com alt3.gmr-smtp-in.l.google.com alt4.gmr-smtp-in.l.google.com mx1.smtp.goog mx2.smtp.goog mx3.smtp.goog mx4.smtp.goog aspmx2.googlemail.com aspmx3.googlemail.com aspmx4.googlemail.com aspmx5.googlemail.com gmr-mx.google.com Issuer GTS CA 1C3 (Google Trust Services LLC from US) Trust (hostname) Ok via SAN (same w/o SNI) Chain of trust Ok EV cert (experimental) no ETS/"eTLS", visibility info not present Certificate Validity (UTC) 65 >= 60 days (2021-10-04 04:13 --> 2021-12-27 03:13) # of certificates provided 3 Certificate Revocation List http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl OCSP URI http://ocsp.pki.goog/gts1c3 OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) available - please check for match with "Issuer" above: issue=pki.goog Certificate Transparency yes (certificate extension) Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway) POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) VULNERABLE, uses 64 bit block ciphers FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=7F68FE010D400DA8BA7700EBD0C8EB77CB7A0D5D7B8887B6DB3C51BBD7C4B118 could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) TLS1: ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc02c ECDHE-ECDSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xc00a ECDHE-ECDSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA xcca9 ECDHE-ECDSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc02b ECDHE-ECDSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA xc009 ECDHE-ECDSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA x0a DES-CBC3-SHA RSA 3DES 168 TLS_RSA_WITH_3DES_EDE_CBC_SHA Running client simulations via sockets Android 8.1 (native) TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) Java 6u45 TLSv1.0 AES128-SHA, No FS Java 7u25 TLSv1.0 ECDHE-ECDSA-AES128-SHA, 256 bit ECDH (P-256) Java 8u161 TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) Java 12.0.1 (OpenJDK) TLSv1.3 TLS_AES_128_GCM_SHA256, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305, 253 bit ECDH (X25519) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Thunderbird (68.3) TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519) Done 2021-10-22 18:16:52 [ 92s] -->> 142.251.5.27:25 (aspmx.l.google.com) <<-- ProtonMail: ➜ testssl -t smtp mailsec.protonmail.ch:25 No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0.5 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1l 24 Aug 2021" [~80 ciphers] on tiebreaker:/usr/bin/openssl (built: "Aug 24 14:27:02 2021", platform: "linux-x86_64") Testing all IPv4 addresses (port 25): 185.70.42.129 185.70.40.102 185.205.70.129 176.119.200.129 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Start 2021-10-22 18:20:46 -->> 185.70.42.129:25 (mailsec.protonmail.ch) <<-- Further IP addresses: 185.70.40.102 185.205.70.129 176.119.200.129 rDNS (185.70.42.129): 185-70-42-129.protonmail.ch. Service set: STARTTLS via SMTP Testing protocols via sockets SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsolete CBC ciphers (AES, ARIA etc.) offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ARIA256-GCM-SHA384 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ARIA128-GCM-SHA256 Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 X448 Testing server preferences Has server cipher order? yes (OK) -- TLS 1.3 and below Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Cipher order TLSv1: ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA TLSv1.1: ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ARIA256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-CCM8 AES256-CCM ARIA256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ARIA128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM ARIA128-GCM-SHA256 AES128-SHA256 AES128-SHA TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 Testing server defaults (Server Hello) TLS extensions (standard) "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "supported versions/#43" "key share/#51" "max fragment length/#1" "encrypt-then-mac/#22" "extended master secret/#23" Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily SSL Session ID support yes Session Resumption Tickets: yes, ID: no TLS clock skew Random values, no fingerprinting possible Signature Algorithm SHA256 with RSA Server key size RSA 4096 bits Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Server Authentication, TLS Web Client Authentication Serial / Fingerprints 0356170A40D6C017D04541FC5527BA2FB136 / SHA1 C97AF757A2723511E99F8E1916213CA31BE1ACF5 SHA256 37252645C3FC5B2DA7B2A03C5A07EC788CD8BDD6AC130CC0F4DFB33F1B337144 Common Name (CN) protonmail.com subjectAltName (SAN) .pm.me .protonmail.ch .protonmail.com .protonvpn.ch *.protonvpn.com protonmail.com Issuer R3 (Let's Encrypt from US) Trust (hostname) Ok via SAN wildcard (same w/o SNI) Chain of trust Ok EV cert (experimental) no ETS/"eTLS", visibility info not present Certificate Validity (UTC) 71 >= 30 days (2021-10-04 10:54 --> 2022-01-02 09:54) # of certificates provided 2 Certificate Revocation List -- OCSP URI http://r3.o.lencr.org OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) available - please check for match with "Issuer" above iodef=mailto:security@protonmail.com, issue=letsencrypt.org, issue=swisssign.com Certificate Transparency yes (certificate extension) Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway) POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=37252645C3FC5B2DA7B2A03C5A07EC788CD8BDD6AC130CC0F4DFB33F1B337144 could help you to find out LOGJAM (CVE-2015-4000), experimental not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2 BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- x1302 TLS_AES_256_GCM_SHA384 ECDH 253 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 253 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 253 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 253 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 253 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc0a1 AES256-CCM8 RSA AESCCM8 256 TLS_RSA_WITH_AES_256_CCM_8 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc051 ARIA256-GCM-SHA384 RSA ARIAGCM 256 TLS_RSA_WITH_ARIA_256_GCM_SHA384 xc061 ECDHE-ARIA256-GCM-SHA384 ECDH 253 ARIAGCM 256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 x1301 TLS_AES_128_GCM_SHA256 ECDH 253 AESGCM 128 TLS_AES_128_GCM_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 253 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 253 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA xc0a0 AES128-CCM8 RSA AESCCM8 128 TLS_RSA_WITH_AES_128_CCM_8 xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA xc050 ARIA128-GCM-SHA256 RSA ARIAGCM 128 TLS_RSA_WITH_ARIA_128_GCM_SHA256 xc060 ECDHE-ARIA128-GCM-SHA256 ECDH 253 ARIAGCM 128 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 Running client simulations via sockets Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Java 6u45 TLSv1.0 AES128-SHA, No FS Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Java 8u161 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Java 12.0.1 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Thunderbird (68.3) TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519) Done 2021-10-22 18:22:14 [ 91s] -->> 185.70.42.129:25 (mailsec.protonmail.ch) <<-- Bei GMX kommt gar keine Verbindung zustande. Warum? Deswegen: `➜ telnet mx01.emig.gmx.net 25 Trying 212.227.17.5... Connected to mx01.emig.gmx.net. Escape character is '^]'. 554-gmx.net (mxgmx114) Nemesis ESMTP Service not available 554-No SMTP service 554-IP address is block listed. 554 For explanation visit https://www.gmx.net/mail/senderguidelines?ip=87.172.164.53&c=bl Connection closed by foreign host.`	16:28:30
SilentStalker	Kompatibilitätsmäßig ist das zwar eine Katastrophe aber moderner als vor 10 Jahren.	16:30:07
23 Oct 2021
	jacky changed their display name from Eric to jacky.	08:56:29
alex	SilentStalker: Ich habe mir mal gmx angeschaut, von dem System über welches die eMails gehen: testssl -t smtp mx01.emig.gmx.net:25 No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1f 31 Mar 2020" [~79 ciphers] on azha:/usr/bin/openssl (built: "Aug 23 17:02:39 2021", platform: "debian-amd64") Start 2021-10-23 11:59:19 -->> 212.227.17.5:25 (mx01.emig.gmx.net) <<-- rDNS (212.227.17.5): mx01.emig.gmx.net. Service set: STARTTLS via SMTP Testing protocols via sockets SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsolete: SEED + 128+256 Bit CBC cipher offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 Testing server preferences Has server cipher order? yes (OK) -- TLS 1.3 and below Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Cipher order TLSv1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA TLSv1.1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 AES256-GCM-SHA384 AES256-CCM AES256-SHA AES256-SHA256 AES128-GCM-SHA256 AES128-CCM AES128-SHA AES128-SHA256 TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 Testing server defaults (Server Hello) TLS extensions (standard) "EC point formats/#11" "renegotiation info/#65281" "key share/#51" "supported versions/#43" "encrypt-then-mac/#22" "max fragment length/#1" Session Ticket RFC 5077 hint no -- no lifetime advertised SSL Session ID support yes Session Resumption Tickets no, ID: no TLS clock skew Random values, no fingerprinting possible Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Client Authentication, TLS Web Server Authentication Serial / Fingerprints 257D68A7200AA5DFBD5BFCDB4E664E7F / SHA1 E5B2E3B40231497A78F91AEF279E23F3AE7B9110 SHA256 E9EA38A058DDA2C392B9DE38546DE1FB9E29D908A2B89EAE4000F32DE88D7ACA Common Name (CN) mx.gmx.net subjectAltName (SAN) mx.gmx.net mx00.gmx.net mx01.gmx.net mx00.emig.gmx.net mx01.emig.gmx.net dhmx01.emig.gmx.net dhmx02.emig.gmx.net Issuer TeleSec ServerPass Class 2 CA (T-Systems International GmbH from DE) Trust (hostname) Ok via SAN (same w/o SNI) Chain of trust Ok EV cert (experimental) no ETS/"eTLS", visibility info not present Certificate Validity (UTC) 233 >= 60 days (2021-06-08 13:28 --> 2022-06-14 01:59) # of certificates provided 2 Certificate Revocation List http://crl.serverpass.telesec.de/rl/ServerPass_Class_2.crl OCSP URI http://ocsp.serverpass.telesec.de/ocspr OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) available - please check for match with "Issuer" above issue=Digicert.com, issue=telesec.de Certificate Transparency yes (certificate extension) Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway) POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) Check failed, unexpected result , run testssl -Z --debug=1 and look at /tmp/testssl.Tkwdv9/tls_fallback_scsv.txt SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=E9EA38A058DDA2C392B9DE38546DE1FB9E29D908A2B89EAE4000F32DE88D7ACA could help you to find out LOGJAM (CVE-2015-4000), experimental common prime with 2048 bits detected: RFC7919/ffdhe2048 (2048 bits), but no DH EXPORT ciphers BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- x1302 TLS_AES_256_GCM_SHA384 ECDH 256 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 256 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 256 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xccaa DHE-RSA-CHACHA20-POLY1305 DH 2048 ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc09f DHE-RSA-AES256-CCM DH 2048 AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x1301 TLS_AES_128_GCM_SHA256 ECDH 256 AESGCM 128 TLS_AES_128_GCM_SHA256 x1304 TLS_AES_128_CCM_SHA256 ECDH 256 AESCCM 128 TLS_AES_128_CCM_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 xc09e DHE-RSA-AES128-CCM DH 2048 AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA Running client simulations via sockets Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Java 6u45 No connection Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Java 8u161 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Java 12.0.1 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Thunderbird (68.3) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Done 2021-10-23 12:00:56 [ 99s] -->> 212.227.17.5:25 (mx01.emig.gmx.net) <<-- -> gleich die ersten Beiden stimmen überein, und sind sogar in der gleichen Reihenfolge. Ich gehe daher davon aus, das ich nicht* den gleichen Fehler wie mit de.ssl-tools.net habe. Das Problem mit GMX sieht in meinen logs so aus: Oct 23 04:24:16 mail postfix/smtp[433006]: initializing the client-side TLS engine Oct 23 04:24:16 mail postfix/smtp[433006]: setting up TLS connection to mx01.emig.gmx.net[212.227.17.5]:25 Oct 23 04:24:16 mail postfix/smtp[433006]: mx01.emig.gmx.net[212.227.17.5]:25: TLS cipher list "TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-DSS-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 RSA-PSK-AES256-GCM-SHA384 DHE-PSK-AES256-GCM-SHA384 RSA-PSK-CHACHA20-POLY1305 DHE-PSK-CHACHA20-POLY1305 ECDHE-PSK-CHACHA20-POLY1305 DHE-PSK-AES256-CCM8 DHE-PSK-AES256-CCM RSA-PSK-ARIA256-GCM-SHA384 DHE-PSK-ARIA256-GCM-SHA384:!eNULL" Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:before SSL initialization Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS read server hello Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write change cipher spec Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello Oct 23 04:29:16 mail postfix/smtp[433006]: SSL_connect error to mx01.emig.gmx.net[212.227.17.5]:25: Connection timed out Oct 23 04:29:16 mail postfix/smtp[433006]: 5793FA0791: Cannot start TLS: handshake failure Der Witz ist: irgendwann geht die eMail durch, sobald es soweit ist hänge ich das logging hier an.	10:20:13
alex	* SilentStalker: Ich habe mir mal gmx angeschaut, von dem System über welches die eMails gehen: testssl -t smtp mx01.emig.gmx.net:25 No engine or GOST support via engine with your /usr/bin/openssl ########################################################### testssl 3.0 from https://testssl.sh/ This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.1.1f 31 Mar 2020" [~79 ciphers] on azha:/usr/bin/openssl (built: "Aug 23 17:02:39 2021", platform: "debian-amd64") Start 2021-10-23 11:59:19 -->> 212.227.17.5:25 (mx01.emig.gmx.net) <<-- rDNS (212.227.17.5): mx01.emig.gmx.net. Service set: STARTTLS via SMTP Testing protocols via sockets SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered (deprecated) TLS 1.1 offered (deprecated) TLS 1.2 offered (OK) TLS 1.3 offered (OK): final Testing cipher categories NULL ciphers (no encryption) not offered (OK) Anonymous NULL Ciphers (no authentication) not offered (OK) Export ciphers (w/o ADH+NULL) not offered (OK) LOW: 64 Bit + DES, RC[2,4] (w/o export) not offered (OK) Triple DES Ciphers / IDEA not offered Obsolete: SEED + 128+256 Bit CBC cipher offered Strong encryption (AEAD ciphers) offered (OK) Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 PFS is offered (OK) TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA Elliptic curves offered: prime256v1 secp384r1 secp521r1 X25519 Finite field group: ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192 Testing server preferences Has server cipher order? yes (OK) -- TLS 1.3 and below Negotiated protocol TLSv1.3 Negotiated cipher TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Cipher order TLSv1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA TLSv1.1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA TLSv1.2: ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 AES256-GCM-SHA384 AES256-CCM AES256-SHA AES256-SHA256 AES128-GCM-SHA256 AES128-CCM AES128-SHA AES128-SHA256 TLSv1.3: TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 Testing server defaults (Server Hello) TLS extensions (standard) "EC point formats/#11" "renegotiation info/#65281" "key share/#51" "supported versions/#43" "encrypt-then-mac/#22" "max fragment length/#1" Session Ticket RFC 5077 hint no -- no lifetime advertised SSL Session ID support yes Session Resumption Tickets no, ID: no TLS clock skew Random values, no fingerprinting possible Signature Algorithm SHA256 with RSA Server key size RSA 2048 bits Server key usage Digital Signature, Key Encipherment Server extended key usage TLS Web Client Authentication, TLS Web Server Authentication Serial / Fingerprints 257D68A7200AA5DFBD5BFCDB4E664E7F / SHA1 E5B2E3B40231497A78F91AEF279E23F3AE7B9110 SHA256 E9EA38A058DDA2C392B9DE38546DE1FB9E29D908A2B89EAE4000F32DE88D7ACA Common Name (CN) mx.gmx.net subjectAltName (SAN) mx.gmx.net mx00.gmx.net mx01.gmx.net mx00.emig.gmx.net mx01.emig.gmx.net dhmx01.emig.gmx.net dhmx02.emig.gmx.net Issuer TeleSec ServerPass Class 2 CA (T-Systems International GmbH from DE) Trust (hostname) Ok via SAN (same w/o SNI) Chain of trust Ok EV cert (experimental) no ETS/"eTLS", visibility info not present Certificate Validity (UTC) 233 >= 60 days (2021-06-08 13:28 --> 2022-06-14 01:59) # of certificates provided 2 Certificate Revocation List http://crl.serverpass.telesec.de/rl/ServerPass_Class_2.crl OCSP URI http://ocsp.serverpass.telesec.de/ocspr OCSP stapling not offered OCSP must staple extension -- DNS CAA RR (experimental) available - please check for match with "Issuer" above issue=Digicert.com, issue=telesec.de Certificate Transparency yes (certificate extension) Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK), no heartbeat extension CCS (CVE-2014-0224) not vulnerable (OK) ROBOT not vulnerable (OK) Secure Renegotiation (RFC 5746) supported (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) (not using HTTP anyway) POODLE, SSL (CVE-2014-3566) not vulnerable (OK), no SSLv3 support TLS_FALLBACK_SCSV (RFC 7507) Check failed, unexpected result , run testssl -Z --debug=1 and look at /tmp/testssl.Tkwdv9/tls_fallback_scsv.txt SWEET32 (CVE-2016-2183, CVE-2016-6329) not vulnerable (OK) FREAK (CVE-2015-0204) not vulnerable (OK) DROWN (CVE-2016-0800, CVE-2016-0703) not vulnerable on this host and port (OK) make sure you don't use this certificate elsewhere with SSLv2 enabled services https://censys.io/ipv4?q=E9EA38A058DDA2C392B9DE38546DE1FB9E29D908A2B89EAE4000F32DE88D7ACA could help you to find out LOGJAM (CVE-2015-4000), experimental common prime with 2048 bits detected: RFC7919/ffdhe2048 (2048 bits), but no DH EXPORT ciphers BEAST (CVE-2011-3389) TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA VULNERABLE -- but also supports higher protocols TLSv1.1 TLSv1.2 (likely mitigated) LUCKY13 (CVE-2013-0169), experimental potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (IANA/RFC) ----------------------------------------------------------------------------------------------------------------------------- x1302 TLS_AES_256_GCM_SHA384 ECDH 256 AESGCM 256 TLS_AES_256_GCM_SHA384 x1303 TLS_CHACHA20_POLY1305_SHA256 ECDH 256 ChaCha20 256 TLS_CHACHA20_POLY1305_SHA256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 xcca8 ECDHE-RSA-CHACHA20-POLY1305 ECDH 256 ChaCha20 256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xccaa DHE-RSA-CHACHA20-POLY1305 DH 2048 ChaCha20 256 TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 xc09f DHE-RSA-AES256-CCM DH 2048 AESCCM 256 TLS_DHE_RSA_WITH_AES_256_CCM x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 xc09d AES256-CCM RSA AESCCM 256 TLS_RSA_WITH_AES_256_CCM x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA x1301 TLS_AES_128_GCM_SHA256 ECDH 256 AESGCM 128 TLS_AES_128_GCM_SHA256 x1304 TLS_AES_128_CCM_SHA256 ECDH 256 AESCCM 128 TLS_AES_128_CCM_SHA256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 xc09e DHE-RSA-AES128-CCM DH 2048 AESCCM 128 TLS_DHE_RSA_WITH_AES_128_CCM xc09c AES128-CCM RSA AESCCM 128 TLS_RSA_WITH_AES_128_CCM x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA Running client simulations via sockets Android 8.1 (native) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Android 9.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Android 10.0 (native) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Java 6u45 No connection Java 7u25 TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256) Java 8u161 TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) Java 11.0.2 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Java 12.0.1 (OpenJDK) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) OpenSSL 1.0.2e TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.0l (Debian) TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256) OpenSSL 1.1.1d (Debian) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Thunderbird (68.3) TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256) Done 2021-10-23 12:00:56 [ 99s] -->> 212.227.17.5:25 (mx01.emig.gmx.net) <<-- -> gleich die ersten Beiden stimmen überein, und sind sogar in der gleichen Reihenfolge. Ich gehe daher davon aus, das ich nicht* den gleichen Fehler wie mit de.ssl-tools.net habe. Das Problem mit GMX sieht in meinen logs so aus: Oct 23 04:24:16 mail postfix/smtp[433006]: initializing the client-side TLS engine Oct 23 04:24:16 mail postfix/smtp[433006]: setting up TLS connection to mx01.emig.gmx.net[212.227.17.5]:25 Oct 23 04:24:16 mail postfix/smtp[433006]: mx01.emig.gmx.net[212.227.17.5]:25: TLS cipher list "TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-DSS-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 RSA-PSK-AES256-GCM-SHA384 DHE-PSK-AES256-GCM-SHA384 RSA-PSK-CHACHA20-POLY1305 DHE-PSK-CHACHA20-POLY1305 ECDHE-PSK-CHACHA20-POLY1305 DHE-PSK-AES256-CCM8 DHE-PSK-AES256-CCM RSA-PSK-ARIA256-GCM-SHA384 DHE-PSK-ARIA256-GCM-SHA384:!eNULL" Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:before SSL initialization Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS read server hello Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write change cipher spec Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello Oct 23 04:29:16 mail postfix/smtp[433006]: SSL_connect error to mx01.emig.gmx.net[212.227.17.5]:25: Connection timed out Oct 23 04:29:16 mail postfix/smtp[433006]: 5793FA0791: Cannot start TLS: handshake failure Der Witz ist: irgendwann geht die eMail durch, sobald es soweit ist hänge ich das logging hier an.	10:44:17
Don Camillo	ich hab ein problem mit dem nextcloud snap, irgendwie will sich das nicht mit dem internet verbinden (outgoing) hat aber die richtigen interfaces aktiviert, woran kann das liegen? ich bin echt grad am ende meines lateins	14:58:18

Kein exklusiver Zugriff auf die Grafikressourcen.

Moin. Ich habe gerade ein kleines Problemchen mit der Kommunikation meines eMail-Servers (azha.de) <-> gmx. Ich bekomme hier öfter einen 'SSL_connect error to mx01.emig.gmx.net[212.227.17.5]:25: Connection timed out' gefolgt vom 'Cannot start TLS: handshake failure'