Yep, let me check that
Looks ok to me
drwxr-xr-x 2 root root 20480 Jan 15 01:36 /etc/ssl/certs
Even updated the ca store
Okay..
Maybe things don’t have to be that complicated
kumo.on('get_egress_path_config', function(domain, source_name, site_name)
return kumo.make_egress_path {
enable_tls = 'OpportunisticInsecure',
remember_broken_tls = '3 days',
skip_hosts = { '::/0' },
}
end)
This seems to be working just fine
It looks like OpportunisticInsecure by default isn’t enough. You need to specify remember_broken_tls to make it actually reattempt a connection and send insecurely
Hmm… you probably want 644 permissions on the cert files (-rw-r–r–)
and the kumod user needs to have access to it.
Ooh crap. I’ll have a look at that tonight
What are your thoughts about this? Is it intended to be like that?
Opportunistic is the default and the recommendation. OpportunisticInsecure was added to compensate for poorly maintained sites, so use it with caution.
One of the problems with it is that if the TLS cert is really broken, then even OpportunisticInsecure wont work and we have to retry from scratch without TLS at all. This is where remember_broken_tls comes in. In some environments, we are finding that you need both.
Sometimes I think we spend more time compensating for a fundamentally broken Internet than actually writing new code.
Yep, fair enough. One more question: Does Rustls support TLS v1.2? I did not find it in this list when I ran this command: /opt/kumomta/sbin/tls-probe list-rustls-cipher-suites
Yes
“Rustls implements TLS1.2 and TLS1.3 for both clients and servers. See the full list of protocol features.”
Got it, thank you
Hm, ok. That’s a bit odd. We had troubles sending to this domain yesterday. The certificate was valid, the CN matched the hostname and it’s using TLS 1.2, but for some reason, KumoMTA said the handshake kept failing. It’s no longer an issue with OpportunisticInsecure and remember_broken_tls, but just thought to mention it
ok