Hello,
we operate SMTP servers using a valid SMTP server certificate.
we ask SMTP clients for a certificate ( smtpd_tls_ask_ccert = yes )
our SMTP server are reachable only for one external organisation, not
a public MX
Over the last years, we saw 100% "Trusted TLS connection established from ..."
Since April 1 2026, 8 am UTC, we have 1% untrusted connections.
Even the same SMTP client ip switch between Trusted/Untrusted multiple
times per hour.
To mee, it looks like the remote side reuse IPv4 adresses for multiple
SMTP client instances
and some (~1%) of them is misconfigured since yesterday.
Now, I tried to debug such a session. I picked one random client ip,
set "debug_peer_list = <selected ipv4>" + "postfix reload"
and wait.
after some time, I had a hit. But the debug log did not contain TLS
relevant information like
presented certificated or chain data.
I think, I would have to set "smtpd_tls_loglevel = 2" (currently 1)
But I'm unsure, if this - unlike debug_peer_list - affect all traffic.
So, what are other opportunities? In the mean time I will start to use
tcpdump ...
Andreas
btw: the remote SMTP clients are operated by microsoft ...
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
