!POnsZmdSAzRrxMaTOj:matrix.kraut.space

Linux -- Deutschsprachige Diskussion rund um GNU/Linux

183 Members
Linux https://n.jo-so.de/regeln-fuer-linux-matrix55 Servers

Load older messages


SenderMessageTime
21 Oct 2021
@silentstalker:nukethe.earthSilentStalkerKein exklusiver Zugriff auf die Grafikressourcen.19:20:39
@alex:azha.dealexMoin. Ich habe gerade ein kleines Problemchen mit der Kommunikation meines eMail-Servers (azha.de) <-> gmx. Ich bekomme hier öfter einen 'SSL_connect error to mx01.emig.gmx.net[212.227.17.5]:25: Connection timed out' gefolgt vom 'Cannot start TLS: handshake failure'19:36:43
@silentstalker:nukethe.earthSilentStalkerWelche Cipher Suites werden bei der Server-Server-Kommunikation verwendet? Wird TLS bei der Kommunikation mit anderen Servern erzwungen?19:40:04
@alex:azha.dealexjetzt kann ich mit 'https://de.ssl-tools.net/mailservers/azha.de' ein ähnliches Verhalten nachstellen: Verbindung wird geöffnet -> EHELO -> StartTLS -> Client Hello -> Server Hello -> Verbindung verreckt mit einem RST vom der Gegenseite.19:40:33
@alex:azha.dealex

TLS-Config auf meiner Seite:

smtp_use_tls = yes
smtpd_tls_security_level=may
smtpd_tls_eecdh_grade = ultra
smtpd_tls_mandatory_ciphers=high
smtp_tls_mandatory_ciphers=high
smtpd_tls_ciphers=high
smtp_tls_ciphers=high
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_received_header = yes
tls_high_cipherlist = !aNULL:!eNULL:!CAMELLIA:HIGH:@STRENGTH
tls_preempt_cipherlist = yes
19:43:20
@silentstalker:nukethe.earthSilentStalkerVerwendest du Postfix >= 2.3?19:49:57
@alex:azha.dealexjapp19:50:20
@silentstalker:nukethe.earthSilentStalker Dann kannst du smtp_use_tls durch smtp_tls_security_level ersetzen. 19:51:32
@silentstalker:nukethe.earthSilentStalker * Dann kannst du smtp_use_tls durch smtp_tls_security_level ersetzen. 19:51:50
@silentstalker:nukethe.earthSilentStalker
#
# - TLS CONFIGURATION -
#

# -- Global --
tls_ssl_options = NO_COMPRESSION
#tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256
tls_high_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
tls_preempt_cipherlist = yes
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1

# -- Outgoing connections --
smtp_tls_security_level = dane
smtp_tls_policy_maps = mysql:/etc/postfix/mysql/tls_policy.cf
smtp_dns_support_level = dnssec
smtp_tls_note_starttls_offer = yes
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3

# -- Incoming client connections --
smtpd_use_tls = yes
#smtpd_tls_loglevel = 3
smtpd_tls_security_level = may
smtpd_tls_mandatory_ciphers = high
smtpd_tls_eecdh_grade = strong
#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_cert_file = /etc/ssl/smtp.example.net/fullchain.pem
smtpd_tls_key_file = /etc/ssl/smtp.example.net/privkey.key
smtpd_tls_CAfile = /etc/ssl/smtp.example.net/ca.pem
smtpd_tls_dh1024_param_file = ${config_directory}/crypto/dh4096.pem
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_auth_only = yes
smtpd_tls_received_header = yes

Zum Abgleich meine Konfiguration.

20:00:43
@alex:azha.dealexdanke. Mal so aus Interesse: wieviel Einträge hat die smtp_tls_policy_map in der Datenbank? Und wie wird das gepflegt?20:05:27
@silentstalker:nukethe.earthSilentStalkerMomentan ein einziger Eintrag: Steam mag keine verschlüsselten Mails. Da ich so selten Einträge da einpflege werfe ich ab und an DBeaver an und pflege die Vmail-Datenbank.20:14:48
@silentstalker:nukethe.earthSilentStalker
+---------+---------------------------------------------------------------------------------+------+-----+---------------------+-------+
| Field   | Type                                                                            | Null | Key | Default             | Extra |
+---------+---------------------------------------------------------------------------------+------+-----+---------------------+-------+
| domain  | varchar(255)                                                                    | NO   | PRI | NULL                |       |
| policy  | enum('none','may','encrypt','dane','dane-only','fingerprint','verify','secure') | NO   |     | NULL                |       |
| params  | varchar(255)                                                                    | YES  |     | NULL                |       |
| created | datetime                                                                        | NO   |     | current_timestamp() |       |
+---------+---------------------------------------------------------------------------------+------+-----+---------------------+-------+
user = vmail
password = password
hosts = localhost
dbname = vmail
query = SELECT policy, params FROM tlspolicies WHERE domain = '%s';
20:16:43
@quas:matrix.orgquasschlagt ihr system76 für Linux vor? Ich sehe, dass das Akku großartig wäre unter anderem.20:25:23
22 Oct 2021
@alex:azha.dealex

Ich habe mal mit dem Postfixproblem weitergeschaut und den Loglevel erhöht. Ein Test mit https://de.ssl-tools.net/mailservers/azha.de schlägt jetzt besser sichtbar mit Log auf:

Oct 22 11:41:39 mail postfix/smtpd[392495]: connect from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa]
Oct 22 11:41:39 mail postfix/smtpd[392495]: setting up TLS connection from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa]
Oct 22 11:41:39 mail postfix/smtpd[392495]: unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa]: TLS cipher list "TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-DSS-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 RSA-PSK-AES256-GCM-SHA384 DHE-PSK-AES256-GCM-SHA384 RSA-PSK-CHACHA20-POLY1305 DHE-PSK-CHACHA20-POLY1305 ECDHE-PSK-CHACHA20-POLY1305 DHE-PSK-AES256-CCM8 DHE-PSK-AES256-CCM RSA-PSK-ARIA256-GCM-SHA384 DHE-PSK-ARIA256-GCM-SHA384"
Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL_accept:before SSL initialization
Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL_accept:before SSL initialization
Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL3 alert write:fatal:handshake failure
Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL_accept:error in error
Oct 22 11:41:39 mail postfix/smtpd[392495]: SSL_accept error from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa]: -1
Oct 22 11:41:39 mail postfix/smtpd[392495]: warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
Oct 22 11:41:39 mail postfix/smtpd[392495]: lost connection after STARTTLS from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa]
Oct 22 11:41:39 mail postfix/smtpd[392495]: disconnect from unknown[2a01:4f8:251:14ab:5054:ff:fe58:c6aa] ehlo=1 starttls=0/1 commands=1/2

Mein Cipher-Konfig ist inzwischen:

tls_high_cipherlist = TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-DSS-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-DSS-AES256-SHA256 RSA-PSK-AES256-GCM-SHA384 DHE-PSK-AES256-GCM-SHA384 RSA-PSK-CHACHA20-POLY1305 DHE-PSK-CHACHA20-POLY1305 ECDHE-PSK-CHACHA20-POLY1305 DHE-PSK-AES256-CCM8 DHE-PSK-AES256-CCM RSA-PSK-ARIA256-GCM-SHA384 DHE-PSK-ARIA256-GCM-SHA384

-> da gibt es definitiv Überschneidungen. Was übersehe ich hier?

09:56:22
@silentstalker:nukethe.earthSilentStalker

Die unterstützten Cipher des Clients und deines Servers haben keine Überschneidung. Du bietest dem Client also Cipher an, welche er nicht unterstützt.

warning: TLS library problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher:../ssl/statem/statem_srvr.c:2283:
15:53:45
@silentstalker:nukethe.earthSilentStalkerDas Problem kann auch auftauchen wenn man TLSv1.0 und TLSv1.1 explizit verbietet.16:03:17
@bernd:matrix.kraut.spaceberndwas ich persönlich für ratsam halte.16:03:47
@silentstalker:nukethe.earthSilentStalkerWomit du dann beim Empfangen immer noch viele Server ausschließt.16:04:24
@bernd:matrix.kraut.spaceberndjepp16:04:39
@silentstalker:nukethe.earthSilentStalkerMir persönlich ist der garantierte Empfang wichtiger als die genutzte Transportverschlüsselung.16:05:41
@bernd:matrix.kraut.spaceberndich werde niemanden daran hindern seinen provider zu wechseln, wenn der keine aktuellen chiphern benutzen will.16:07:41
@silentstalker:nukethe.earthSilentStalkerDas hat sich bei den deutschen Anbietern mittlerweile stark verbessert.16:10:04
@bernd:matrix.kraut.spaceberndwas die frage aufwirft: weil sie mails zu oft nicht zustellen konnten? :)16:11:04
@silentstalker:nukethe.earthSilentStalker

Schau dir an wie es andere machen:

Google Mail

➜ testssl -t smtp aspmx.l.google.com:25

No engine or GOST support via engine with your /usr/bin/openssl

###########################################################
    testssl       3.0.5 from https://testssl.sh/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.1.1l  24 Aug 2021" [~80 ciphers]
 on tiebreaker:/usr/bin/openssl
 (built: "Aug 24 14:27:02 2021", platform: "linux-x86_64")


 Start 2021-10-22 18:15:22        -->> 142.251.5.27:25 (aspmx.l.google.com) <<--

 Further IP addresses:   2a00:1450:400c:c07::1a
 rDNS (142.251.5.27):    wg-in-f27.1e100.net.
 Service set:            STARTTLS via SMTP

 Testing protocols via sockets

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final

 Testing cipher categories

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     offered
 Obsolete CBC ciphers (AES, ARIA etc.)         offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

 PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA ECDHE-ECDSA-AES256-SHA ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES128-SHA
 Elliptic curves offered:     prime256v1 X25519


 Testing server preferences

 Has server cipher order?     yes (OK) -- only for < TLS 1.3
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher order
    TLSv1:     ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA
    TLSv1.1:   ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA
    TLSv1.2:   ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA AES256-SHA DES-CBC3-SHA


 Testing server defaults (Server Hello)

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "key share/#51" "supported versions/#43" "extended master secret/#23"
 Session Ticket RFC 5077 hint 100800 seconds but: PFS requires session ticket keys to be rotated < daily !
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID resumption test failed, pls report
 TLS clock skew               -1 sec from localtime

  Server Certificate #1
   Signature Algorithm          SHA256 with RSA
   Server key size              RSA 2048 bits
   Server key usage             Digital Signature, Key Encipherment
   Server extended key usage    TLS Web Server Authentication
   Serial / Fingerprints        4DA318D1C174BD5C0A0000000108AD8A / SHA1 8777B282812613D66391C82FD63962DF8C4B16CA
                                SHA256 7F68FE010D400DA8BA7700EBD0C8EB77CB7A0D5D7B8887B6DB3C51BBD7C4B118
   Common Name (CN)             mx.google.com
   subjectAltName (SAN)         mx.google.com smtp.google.com aspmx.l.google.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com alt3.aspmx.l.google.com alt4.aspmx.l.google.com gmail-smtp-in.l.google.com alt1.gmail-smtp-in.l.google.com alt2.gmail-smtp-in.l.google.com alt3.gmail-smtp-in.l.google.com alt4.gmail-smtp-in.l.google.com gmr-smtp-in.l.google.com alt1.gmr-smtp-in.l.google.com alt2.gmr-smtp-in.l.google.com
                                alt3.gmr-smtp-in.l.google.com alt4.gmr-smtp-in.l.google.com mx1.smtp.goog mx2.smtp.goog mx3.smtp.goog mx4.smtp.goog aspmx2.googlemail.com aspmx3.googlemail.com aspmx4.googlemail.com aspmx5.googlemail.com gmr-mx.google.com
   Issuer                       GTS CA 1C3 (Google Trust Services LLC from US)
   Trust (hostname)             Ok via SAN (same w/o SNI)
   Chain of trust               Ok
   EV cert (experimental)       no
   ETS/"eTLS", visibility info  not present
   Certificate Validity (UTC)   65 >= 60 days (2021-10-04 04:13 --> 2021-12-27 03:13)
   # of certificates provided   3
   Certificate Revocation List  http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl
   OCSP URI                     http://ocsp.pki.goog/gts1c3
   OCSP stapling                not offered
   OCSP must staple extension   --
   DNS CAA RR (experimental)    available - please check for match with "Issuer" above: issue=pki.goog
   Certificate Transparency     yes (certificate extension)

  Server Certificate #2
   Signature Algorithm          SHA256 with RSA
   Server key size              EC 256 bits
   Server key usage             Digital Signature
   Server extended key usage    TLS Web Server Authentication
   Serial / Fingerprints        ACA8F4B348B968570A0000000108AD8C / SHA1 725B8BACAB5496DA22AC6BB86A63F078BCE72DF9
                                SHA256 585414F5D2AC0E4C1922DBA12685D52ED4959D999777E41DE3FC98237C4B1180
   Common Name (CN)             mx.google.com
   subjectAltName (SAN)         mx.google.com smtp.google.com aspmx.l.google.com alt1.aspmx.l.google.com alt2.aspmx.l.google.com alt3.aspmx.l.google.com alt4.aspmx.l.google.com gmail-smtp-in.l.google.com alt1.gmail-smtp-in.l.google.com alt2.gmail-smtp-in.l.google.com alt3.gmail-smtp-in.l.google.com alt4.gmail-smtp-in.l.google.com gmr-smtp-in.l.google.com alt1.gmr-smtp-in.l.google.com alt2.gmr-smtp-in.l.google.com
                                alt3.gmr-smtp-in.l.google.com alt4.gmr-smtp-in.l.google.com mx1.smtp.goog mx2.smtp.goog mx3.smtp.goog mx4.smtp.goog aspmx2.googlemail.com aspmx3.googlemail.com aspmx4.googlemail.com aspmx5.googlemail.com gmr-mx.google.com
   Issuer                       GTS CA 1C3 (Google Trust Services LLC from US)
   Trust (hostname)             Ok via SAN (same w/o SNI)
   Chain of trust               Ok
   EV cert (experimental)       no
   ETS/"eTLS", visibility info  not present
   Certificate Validity (UTC)   65 >= 60 days (2021-10-04 04:13 --> 2021-12-27 03:13)
   # of certificates provided   3
   Certificate Revocation List  http://crls.pki.goog/gts1c3/QOvJ0N1sT2A.crl
   OCSP URI                     http://ocsp.pki.goog/gts1c3
   OCSP stapling                not offered
   OCSP must staple extension   --
   DNS CAA RR (experimental)    available - please check for match with "Issuer" above: issue=pki.goog
   Certificate Transparency     yes (certificate extension)


 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK) (not using HTTP anyway)
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    VULNERABLE, uses 64 bit block ciphers
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=7F68FE010D400DA8BA7700EBD0C8EB77CB7A0D5D7B8887B6DB3C51BBD7C4B118 could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc02c   ECDHE-ECDSA-AES256-GCM-SHA384     ECDH 253   AESGCM      256      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xc00a   ECDHE-ECDSA-AES256-SHA            ECDH 253   AES         256      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
 xcca9   ECDHE-ECDSA-CHACHA20-POLY1305     ECDH 253   ChaCha20    256      TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc02b   ECDHE-ECDSA-AES128-GCM-SHA256     ECDH 253   AESGCM      128      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc009   ECDHE-ECDSA-AES128-SHA            ECDH 253   AES         128      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 x0a     DES-CBC3-SHA                      RSA        3DES        168      TLS_RSA_WITH_3DES_EDE_CBC_SHA


 Running client simulations via sockets

 Android 8.1 (native)         TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 253 bit ECDH (X25519)
 Android 9.0 (native)         TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
 Android 10.0 (native)        TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)
 Java 6u45                    TLSv1.0 AES128-SHA, No FS
 Java 7u25                    TLSv1.0 ECDHE-ECDSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 8u161                   TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 Java 12.0.1 (OpenJDK)        TLSv1.3 TLS_AES_128_GCM_SHA256, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256, 256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2 ECDHE-ECDSA-CHACHA20-POLY1305, 253 bit ECDH (X25519)
 OpenSSL 1.1.1d (Debian)      TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Thunderbird (68.3)           TLSv1.3 TLS_AES_128_GCM_SHA256, 253 bit ECDH (X25519)

 Done 2021-10-22 18:16:52 [  92s] -->> 142.251.5.27:25 (aspmx.l.google.com) <<--

ProtonMail:

➜ testssl -t smtp mailsec.protonmail.ch:25

No engine or GOST support via engine with your /usr/bin/openssl

###########################################################
    testssl       3.0.5 from https://testssl.sh/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.1.1l  24 Aug 2021" [~80 ciphers]
 on tiebreaker:/usr/bin/openssl
 (built: "Aug 24 14:27:02 2021", platform: "linux-x86_64")


Testing all IPv4 addresses (port 25): 185.70.42.129 185.70.40.102 185.205.70.129 176.119.200.129
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Start 2021-10-22 18:20:46        -->> 185.70.42.129:25 (mailsec.protonmail.ch) <<--

 Further IP addresses:   185.70.40.102 185.205.70.129 176.119.200.129
 rDNS (185.70.42.129):   185-70-42-129.protonmail.ch.
 Service set:            STARTTLS via SMTP

 Testing protocols via sockets

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final

 Testing cipher categories

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     not offered
 Obsolete CBC ciphers (AES, ARIA etc.)         offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4

 PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ARIA256-GCM-SHA384 TLS_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-ARIA128-GCM-SHA256
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 X448


 Testing server preferences

 Has server cipher order?     yes (OK) -- TLS 1.3 and below
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA
    TLSv1.1:   ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ARIA256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA AES256-GCM-SHA384 AES256-CCM8 AES256-CCM ARIA256-GCM-SHA384 AES256-SHA256 AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ARIA128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA AES128-GCM-SHA256 AES128-CCM8 AES128-CCM ARIA128-GCM-SHA256 AES128-SHA256 AES128-SHA
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256


 Testing server defaults (Server Hello)

 TLS extensions (standard)    "renegotiation info/#65281" "EC point formats/#11" "session ticket/#35" "supported versions/#43" "key share/#51" "max fragment length/#1" "encrypt-then-mac/#22" "extended master secret/#23"
 Session Ticket RFC 5077 hint 7200 seconds, session tickets keys seems to be rotated < daily
 SSL Session ID support       yes
 Session Resumption           Tickets: yes, ID: no
 TLS clock skew               Random values, no fingerprinting possible
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 4096 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Server Authentication, TLS Web Client Authentication
 Serial / Fingerprints        0356170A40D6C017D04541FC5527BA2FB136 / SHA1 C97AF757A2723511E99F8E1916213CA31BE1ACF5
                              SHA256 37252645C3FC5B2DA7B2A03C5A07EC788CD8BDD6AC130CC0F4DFB33F1B337144
 Common Name (CN)             protonmail.com
 subjectAltName (SAN)         *.pm.me *.protonmail.ch *.protonmail.com *.protonvpn.ch *.protonvpn.com protonmail.com
 Issuer                       R3 (Let's Encrypt from US)
 Trust (hostname)             Ok via SAN wildcard (same w/o SNI)
 Chain of trust               Ok
 EV cert (experimental)       no
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   71 >= 30 days (2021-10-04 10:54 --> 2022-01-02 09:54)
 # of certificates provided   2
 Certificate Revocation List  --
 OCSP URI                     http://r3.o.lencr.org
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    available - please check for match with "Issuer" above
                              iodef=mailto:security@protonmail.com, issue=letsencrypt.org, issue=swisssign.com
 Certificate Transparency     yes (certificate extension)


 Testing vulnerabilities

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK) (not using HTTP anyway)
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=37252645C3FC5B2DA7B2A03C5A07EC788CD8BDD6AC130CC0F4DFB33F1B337144 could help you to find out
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK): no DH EXPORT ciphers, no DH key detected with <= TLS 1.2
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES256-SHA AES256-SHA ECDHE-RSA-AES128-SHA AES128-SHA
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 x1302   TLS_AES_256_GCM_SHA384            ECDH 253   AESGCM      256      TLS_AES_256_GCM_SHA384
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 253   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 253   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 xc014   ECDHE-RSA-AES256-SHA              ECDH 253   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 253   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384
 xc0a1   AES256-CCM8                       RSA        AESCCM8     256      TLS_RSA_WITH_AES_256_CCM_8
 xc09d   AES256-CCM                        RSA        AESCCM      256      TLS_RSA_WITH_AES_256_CCM
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA
 xc051   ARIA256-GCM-SHA384                RSA        ARIAGCM     256      TLS_RSA_WITH_ARIA_256_GCM_SHA384
 xc061   ECDHE-ARIA256-GCM-SHA384          ECDH 253   ARIAGCM     256      TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384
 x1301   TLS_AES_128_GCM_SHA256            ECDH 253   AESGCM      128      TLS_AES_128_GCM_SHA256
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 253   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 xc013   ECDHE-RSA-AES128-SHA              ECDH 253   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 xc0a0   AES128-CCM8                       RSA        AESCCM8     128      TLS_RSA_WITH_AES_128_CCM_8
 xc09c   AES128-CCM                        RSA        AESCCM      128      TLS_RSA_WITH_AES_128_CCM
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA
 xc050   ARIA128-GCM-SHA256                RSA        ARIAGCM     128      TLS_RSA_WITH_ARIA_128_GCM_SHA256
 xc060   ECDHE-ARIA128-GCM-SHA256          ECDH 253   ARIAGCM     128      TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256


 Running client simulations via sockets

 Android 8.1 (native)         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 Android 9.0 (native)         TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Android 10.0 (native)        TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Java 6u45                    TLSv1.0 AES128-SHA, No FS
 Java 7u25                    TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 8u161                   TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Java 12.0.1 (OpenJDK)        TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 253 bit ECDH (X25519)
 OpenSSL 1.1.1d (Debian)      TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)
 Thunderbird (68.3)           TLSv1.3 TLS_AES_256_GCM_SHA384, 253 bit ECDH (X25519)

 Done 2021-10-22 18:22:14 [  91s] -->> 185.70.42.129:25 (mailsec.protonmail.ch) <<--

Bei GMX kommt gar keine Verbindung zustande. Warum? Deswegen:

➜ telnet mx01.emig.gmx.net 25
Trying 212.227.17.5...
Connected to mx01.emig.gmx.net.
Escape character is '^]'.
554-gmx.net (mxgmx114) Nemesis ESMTP Service not available
554-No SMTP service
554-IP address is block listed.
554 For explanation visit https://www.gmx.net/mail/senderguidelines?ip=87.172.164.53&c=bl
Connection closed by foreign host.
16:28:30
@silentstalker:nukethe.earthSilentStalkerKompatibilitätsmäßig ist das zwar eine Katastrophe aber moderner als vor 10 Jahren.16:30:07
23 Oct 2021
@jacky:matrix.hanibal.mywire.orgjacky changed their display name from Eric to jacky.08:56:29
@alex:azha.dealex

SilentStalker: Ich habe mir mal gmx angeschaut, von dem System über welches die eMails gehen:

testssl -t smtp mx01.emig.gmx.net:25

No engine or GOST support via engine with your /usr/bin/openssl

###########################################################
    testssl       3.0 from https://testssl.sh/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.1.1f  31 Mar 2020" [~79 ciphers]
 on azha:/usr/bin/openssl
 (built: "Aug 23 17:02:39 2021", platform: "debian-amd64")


 Start 2021-10-23 11:59:19        -->> 212.227.17.5:25 (mx01.emig.gmx.net) <<--

 rDNS (212.227.17.5):    mx01.emig.gmx.net.
 Service set:            STARTTLS via SMTP

 Testing protocols via sockets 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final

 Testing cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     not offered
 Obsolete: SEED + 128+256 Bit CBC cipher       offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM DHE-RSA-AES256-SHA256
                              DHE-RSA-AES256-SHA TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA 
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 
 Finite field group:          ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192

 Testing server preferences 

 Has server cipher order?     yes (OK) -- TLS 1.3 and below
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA 
    TLSv1.1:   ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA 
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM
               DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 AES256-GCM-SHA384 AES256-CCM AES256-SHA AES256-SHA256 AES128-GCM-SHA256 AES128-CCM AES128-SHA AES128-SHA256 
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 


 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "EC point formats/#11" "renegotiation info/#65281" "key share/#51" "supported versions/#43" "encrypt-then-mac/#22" "max fragment length/#1"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID: no
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Client Authentication, TLS Web Server Authentication
 Serial / Fingerprints        257D68A7200AA5DFBD5BFCDB4E664E7F / SHA1 E5B2E3B40231497A78F91AEF279E23F3AE7B9110
                              SHA256 E9EA38A058DDA2C392B9DE38546DE1FB9E29D908A2B89EAE4000F32DE88D7ACA
 Common Name (CN)             mx.gmx.net 
 subjectAltName (SAN)         mx.gmx.net mx00.gmx.net mx01.gmx.net mx00.emig.gmx.net mx01.emig.gmx.net dhmx01.emig.gmx.net dhmx02.emig.gmx.net 
 Issuer                       TeleSec ServerPass Class 2 CA (T-Systems International GmbH from DE)
 Trust (hostname)             Ok via SAN (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   233 >= 60 days (2021-06-08 13:28 --> 2022-06-14 01:59)
 # of certificates provided   2
 Certificate Revocation List  http://crl.serverpass.telesec.de/rl/ServerPass_Class_2.crl
 OCSP URI                     http://ocsp.serverpass.telesec.de/ocspr
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    available - please check for match with "Issuer" above
                              issue=Digicert.com, issue=telesec.de
 Certificate Transparency     yes (certificate extension)


 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK) (not using HTTP anyway)
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              Check failed, unexpected result , run testssl -Z --debug=1 and look at /tmp/testssl.Tkwdv9/*tls_fallback_scsv.txt
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=E9EA38A058DDA2C392B9DE38546DE1FB9E29D908A2B89EAE4000F32DE88D7ACA could help you to find out
 LOGJAM (CVE-2015-4000), experimental      common prime with 2048 bits detected: RFC7919/ffdhe2048 (2048 bits),
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA 
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 x1302   TLS_AES_256_GCM_SHA384            ECDH 256   AESGCM      256      TLS_AES_256_GCM_SHA384                             
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 256   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 256   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 xccaa   DHE-RSA-CHACHA20-POLY1305         DH 2048    ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256          
 xc09f   DHE-RSA-AES256-CCM                DH 2048    AESCCM      256      TLS_DHE_RSA_WITH_AES_256_CCM                       
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 xc09d   AES256-CCM                        RSA        AESCCM      256      TLS_RSA_WITH_AES_256_CCM                           
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256                    
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 x1301   TLS_AES_128_GCM_SHA256            ECDH 256   AESGCM      128      TLS_AES_128_GCM_SHA256                             
 x1304   TLS_AES_128_CCM_SHA256            ECDH 256   AESCCM      128      TLS_AES_128_CCM_SHA256                             
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                
 xc09e   DHE-RSA-AES128-CCM                DH 2048    AESCCM      128      TLS_DHE_RSA_WITH_AES_128_CCM                       
 xc09c   AES128-CCM                        RSA        AESCCM      128      TLS_RSA_WITH_AES_128_CCM                           
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256                    
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       


 Running client simulations via sockets 

 Android 8.1 (native)         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 9.0 (native)         TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Android 10.0 (native)        TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Java 6u45                    No connection
 Java 7u25                    TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 8u161                   TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Java 12.0.1 (OpenJDK)        TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.1.1d (Debian)      TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Thunderbird (68.3)           TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)

 Done 2021-10-23 12:00:56 [  99s] -->> 212.227.17.5:25 (mx01.emig.gmx.net) <<--

-> gleich die ersten Beiden stimmen überein, und sind sogar in der gleichen Reihenfolge. Ich gehe daher davon aus, das ich nicht den gleichen Fehler wie mit de.ssl-tools.net habe.
Das Problem mit GMX sieht in meinen logs so aus:

Oct 23 04:24:16 mail postfix/smtp[433006]: initializing the client-side TLS engine
Oct 23 04:24:16 mail postfix/smtp[433006]: setting up TLS connection to mx01.emig.gmx.net[212.227.17.5]:25
Oct 23 04:24:16 mail postfix/smtp[433006]: mx01.emig.gmx.net[212.227.17.5]:25: TLS cipher list "TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-DSS-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 RSA-PSK-AES256-GCM-SHA384 DHE-PSK-AES256-GCM-SHA384 RSA-PSK-CHACHA20-POLY1305 DHE-PSK-CHACHA20-POLY1305 ECDHE-PSK-CHACHA20-POLY1305 DHE-PSK-AES256-CCM8 DHE-PSK-AES256-CCM RSA-PSK-ARIA256-GCM-SHA384 DHE-PSK-ARIA256-GCM-SHA384:!eNULL"
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:before SSL initialization
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS read server hello
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write change cipher spec
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello
Oct 23 04:29:16 mail postfix/smtp[433006]: SSL_connect error to mx01.emig.gmx.net[212.227.17.5]:25: Connection timed out
Oct 23 04:29:16 mail postfix/smtp[433006]: 5793FA0791: Cannot start TLS: handshake failure

Der Witz ist: irgendwann geht die eMail durch, sobald es soweit ist hänge ich das logging hier an.

10:20:13
@alex:azha.dealex *

SilentStalker: Ich habe mir mal gmx angeschaut, von dem System über welches die eMails gehen:

testssl -t smtp mx01.emig.gmx.net:25

No engine or GOST support via engine with your /usr/bin/openssl

###########################################################
    testssl       3.0 from https://testssl.sh/

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "OpenSSL 1.1.1f  31 Mar 2020" [~79 ciphers]
 on azha:/usr/bin/openssl
 (built: "Aug 23 17:02:39 2021", platform: "debian-amd64")


 Start 2021-10-23 11:59:19        -->> 212.227.17.5:25 (mx01.emig.gmx.net) <<--

 rDNS (212.227.17.5):    mx01.emig.gmx.net.
 Service set:            STARTTLS via SMTP

 Testing protocols via sockets 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    offered (OK): final

 Testing cipher categories 

 NULL ciphers (no encryption)                  not offered (OK)
 Anonymous NULL Ciphers (no authentication)    not offered (OK)
 Export ciphers (w/o ADH+NULL)                 not offered (OK)
 LOW: 64 Bit + DES, RC[2,4] (w/o export)       not offered (OK)
 Triple DES Ciphers / IDEA                     not offered
 Obsolete: SEED + 128+256 Bit CBC cipher       offered
 Strong encryption (AEAD ciphers)              offered (OK)


 Testing robust (perfect) forward secrecy, (P)FS -- omitting Null Authentication/Encryption, 3DES, RC4 

 PFS is offered (OK)          TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM DHE-RSA-AES256-SHA256
                              DHE-RSA-AES256-SHA TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA 
 Elliptic curves offered:     prime256v1 secp384r1 secp521r1 X25519 
 Finite field group:          ffdhe2048 ffdhe3072 ffdhe4096 ffdhe6144 ffdhe8192

 Testing server preferences 

 Has server cipher order?     yes (OK) -- TLS 1.3 and below
 Negotiated protocol          TLSv1.3
 Negotiated cipher            TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Cipher order
    TLSv1:     ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA 
    TLSv1.1:   ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA 
    TLSv1.2:   ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM
               DHE-RSA-AES256-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-CCM DHE-RSA-AES128-SHA DHE-RSA-AES128-SHA256 AES256-GCM-SHA384 AES256-CCM AES256-SHA AES256-SHA256 AES128-GCM-SHA256 AES128-CCM AES128-SHA AES128-SHA256 
    TLSv1.3:   TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_SHA256 


 Testing server defaults (Server Hello) 

 TLS extensions (standard)    "EC point formats/#11" "renegotiation info/#65281" "key share/#51" "supported versions/#43" "encrypt-then-mac/#22" "max fragment length/#1"
 Session Ticket RFC 5077 hint no -- no lifetime advertised
 SSL Session ID support       yes
 Session Resumption           Tickets no, ID: no
 TLS clock skew               Random values, no fingerprinting possible 
 Signature Algorithm          SHA256 with RSA
 Server key size              RSA 2048 bits
 Server key usage             Digital Signature, Key Encipherment
 Server extended key usage    TLS Web Client Authentication, TLS Web Server Authentication
 Serial / Fingerprints        257D68A7200AA5DFBD5BFCDB4E664E7F / SHA1 E5B2E3B40231497A78F91AEF279E23F3AE7B9110
                              SHA256 E9EA38A058DDA2C392B9DE38546DE1FB9E29D908A2B89EAE4000F32DE88D7ACA
 Common Name (CN)             mx.gmx.net 
 subjectAltName (SAN)         mx.gmx.net mx00.gmx.net mx01.gmx.net mx00.emig.gmx.net mx01.emig.gmx.net dhmx01.emig.gmx.net dhmx02.emig.gmx.net 
 Issuer                       TeleSec ServerPass Class 2 CA (T-Systems International GmbH from DE)
 Trust (hostname)             Ok via SAN (same w/o SNI)
 Chain of trust               Ok   
 EV cert (experimental)       no 
 ETS/"eTLS", visibility info  not present
 Certificate Validity (UTC)   233 >= 60 days (2021-06-08 13:28 --> 2022-06-14 01:59)
 # of certificates provided   2
 Certificate Revocation List  http://crl.serverpass.telesec.de/rl/ServerPass_Class_2.crl
 OCSP URI                     http://ocsp.serverpass.telesec.de/ocspr
 OCSP stapling                not offered
 OCSP must staple extension   --
 DNS CAA RR (experimental)    available - please check for match with "Issuer" above
                              issue=Digicert.com, issue=telesec.de
 Certificate Transparency     yes (certificate extension)


 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK), no heartbeat extension
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 ROBOT                                     not vulnerable (OK)
 Secure Renegotiation (RFC 5746)           supported (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK) (not using HTTP anyway)
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK), no SSLv3 support
 TLS_FALLBACK_SCSV (RFC 7507)              Check failed, unexpected result , run testssl -Z --debug=1 and look at /tmp/testssl.Tkwdv9/*tls_fallback_scsv.txt
 SWEET32 (CVE-2016-2183, CVE-2016-6329)    not vulnerable (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 DROWN (CVE-2016-0800, CVE-2016-0703)      not vulnerable on this host and port (OK)
                                           make sure you don't use this certificate elsewhere with SSLv2 enabled services
                                           https://censys.io/ipv4?q=E9EA38A058DDA2C392B9DE38546DE1FB9E29D908A2B89EAE4000F32DE88D7ACA could help you to find out
 LOGJAM (CVE-2015-4000), experimental      common prime with 2048 bits detected: RFC7919/ffdhe2048 (2048 bits),
                                           but no DH EXPORT ciphers
 BEAST (CVE-2011-3389)                     TLS1: ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA AES256-SHA AES128-SHA 
                                           VULNERABLE -- but also supports higher protocols  TLSv1.1 TLSv1.2 (likely mitigated)
 LUCKY13 (CVE-2013-0169), experimental     potentially VULNERABLE, uses cipher block chaining (CBC) ciphers with TLS. Check patches
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)


 Testing 370 ciphers via OpenSSL plus sockets against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)       KeyExch.   Encryption  Bits     Cipher Suite Name (IANA/RFC)
-----------------------------------------------------------------------------------------------------------------------------
 x1302   TLS_AES_256_GCM_SHA384            ECDH 256   AESGCM      256      TLS_AES_256_GCM_SHA384                             
 x1303   TLS_CHACHA20_POLY1305_SHA256      ECDH 256   ChaCha20    256      TLS_CHACHA20_POLY1305_SHA256                       
 xc030   ECDHE-RSA-AES256-GCM-SHA384       ECDH 256   AESGCM      256      TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384              
 xc028   ECDHE-RSA-AES256-SHA384           ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384              
 xc014   ECDHE-RSA-AES256-SHA              ECDH 256   AES         256      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA                 
 x9f     DHE-RSA-AES256-GCM-SHA384         DH 2048    AESGCM      256      TLS_DHE_RSA_WITH_AES_256_GCM_SHA384                
 xcca8   ECDHE-RSA-CHACHA20-POLY1305       ECDH 256   ChaCha20    256      TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256        
 xccaa   DHE-RSA-CHACHA20-POLY1305         DH 2048    ChaCha20    256      TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256          
 xc09f   DHE-RSA-AES256-CCM                DH 2048    AESCCM      256      TLS_DHE_RSA_WITH_AES_256_CCM                       
 x6b     DHE-RSA-AES256-SHA256             DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA256                
 x39     DHE-RSA-AES256-SHA                DH 2048    AES         256      TLS_DHE_RSA_WITH_AES_256_CBC_SHA                   
 x9d     AES256-GCM-SHA384                 RSA        AESGCM      256      TLS_RSA_WITH_AES_256_GCM_SHA384                    
 xc09d   AES256-CCM                        RSA        AESCCM      256      TLS_RSA_WITH_AES_256_CCM                           
 x3d     AES256-SHA256                     RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA256                    
 x35     AES256-SHA                        RSA        AES         256      TLS_RSA_WITH_AES_256_CBC_SHA                       
 x1301   TLS_AES_128_GCM_SHA256            ECDH 256   AESGCM      128      TLS_AES_128_GCM_SHA256                             
 x1304   TLS_AES_128_CCM_SHA256            ECDH 256   AESCCM      128      TLS_AES_128_CCM_SHA256                             
 xc02f   ECDHE-RSA-AES128-GCM-SHA256       ECDH 256   AESGCM      128      TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256              
 xc027   ECDHE-RSA-AES128-SHA256           ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256              
 xc013   ECDHE-RSA-AES128-SHA              ECDH 256   AES         128      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA                 
 x9e     DHE-RSA-AES128-GCM-SHA256         DH 2048    AESGCM      128      TLS_DHE_RSA_WITH_AES_128_GCM_SHA256                
 xc09e   DHE-RSA-AES128-CCM                DH 2048    AESCCM      128      TLS_DHE_RSA_WITH_AES_128_CCM                       
 xc09c   AES128-CCM                        RSA        AESCCM      128      TLS_RSA_WITH_AES_128_CCM                           
 x67     DHE-RSA-AES128-SHA256             DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA256                
 x33     DHE-RSA-AES128-SHA                DH 2048    AES         128      TLS_DHE_RSA_WITH_AES_128_CBC_SHA                   
 x9c     AES128-GCM-SHA256                 RSA        AESGCM      128      TLS_RSA_WITH_AES_128_GCM_SHA256                    
 x3c     AES128-SHA256                     RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA256                    
 x2f     AES128-SHA                        RSA        AES         128      TLS_RSA_WITH_AES_128_CBC_SHA                       


 Running client simulations via sockets 

 Android 8.1 (native)         TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Android 9.0 (native)         TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Android 10.0 (native)        TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Java 6u45                    No connection
 Java 7u25                    TLSv1.0 ECDHE-RSA-AES128-SHA, 256 bit ECDH (P-256)
 Java 8u161                   TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 Java 11.0.2 (OpenJDK)        TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Java 12.0.1 (OpenJDK)        TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.0.2e               TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.1.0l (Debian)      TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 256 bit ECDH (P-256)
 OpenSSL 1.1.1d (Debian)      TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)
 Thunderbird (68.3)           TLSv1.3 TLS_AES_256_GCM_SHA384, 256 bit ECDH (P-256)

 Done 2021-10-23 12:00:56 [  99s] -->> 212.227.17.5:25 (mx01.emig.gmx.net) <<--

-> gleich die ersten Beiden stimmen überein, und sind sogar in der gleichen Reihenfolge. Ich gehe daher davon aus, das ich nicht den gleichen Fehler wie mit de.ssl-tools.net habe.
Das Problem mit GMX sieht in meinen logs so aus:

Oct 23 04:24:16 mail postfix/smtp[433006]: initializing the client-side TLS engine
Oct 23 04:24:16 mail postfix/smtp[433006]: setting up TLS connection to mx01.emig.gmx.net[212.227.17.5]:25
Oct 23 04:24:16 mail postfix/smtp[433006]: mx01.emig.gmx.net[212.227.17.5]:25: TLS cipher list "TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CCM8 ECDHE-ECDSA-AES256-CCM ECDHE-ECDSA-ARIA256-GCM-SHA384 ECDHE-ARIA256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES256-CCM8 DHE-RSA-AES256-CCM DHE-DSS-ARIA256-GCM-SHA384 DHE-RSA-ARIA256-GCM-SHA384 RSA-PSK-AES256-GCM-SHA384 DHE-PSK-AES256-GCM-SHA384 RSA-PSK-CHACHA20-POLY1305 DHE-PSK-CHACHA20-POLY1305 ECDHE-PSK-CHACHA20-POLY1305 DHE-PSK-AES256-CCM8 DHE-PSK-AES256-CCM RSA-PSK-ARIA256-GCM-SHA384 DHE-PSK-ARIA256-GCM-SHA384:!eNULL"
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:before SSL initialization
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS read server hello
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write change cipher spec
Oct 23 04:24:16 mail postfix/smtp[433006]: SSL_connect:SSLv3/TLS write client hello
Oct 23 04:29:16 mail postfix/smtp[433006]: SSL_connect error to mx01.emig.gmx.net[212.227.17.5]:25: Connection timed out
Oct 23 04:29:16 mail postfix/smtp[433006]: 5793FA0791: Cannot start TLS: handshake failure

Der Witz ist: irgendwann geht die eMail durch, sobald es soweit ist hänge ich das logging hier an.

10:44:17
@Don_Camillo:matrix.orgDon Camilloich hab ein problem mit dem nextcloud snap, irgendwie will sich das nicht mit dem internet verbinden (outgoing) hat aber die richtigen interfaces aktiviert, woran kann das liegen? ich bin echt grad am ende meines lateins14:58:18

There are no newer messages yet.


Back to Room List