- Newest
- Most votes
- Most comments
So after days of fighting around i ended up like this so far :
1: NONE of the logging provided into whole AWS documentation i've read extensively (including complex & painfull stacking of services over SES : IAM, SNS, Lambda, CloudWatch, CloudTrail/Lake, S3 etc) would ever display SMTP TLS version used during handshake & packet exchanges from my Debian server ! Therefore useless to test anything.
2: after testing several uncomplete network utilities on Debian (and trying to avoid massive packet install for wireshark and even lighter tshark) i FINALLY spotted a difference within tcpdump command line over port 587 ; in the resulting dump i could see the mention DOWNGRD right after a READY FOR TLS & before seing AWS certificate name shown.
I assumed that very last element would imply TLS 1.2 or over to be refused on handshake and therefore backported into 1/1.1 triggering the upgrade alerts Amazon sent me. From there i've tested several MTA alternative & config to choose one quite recent (even though summoning GnuTls instead of OpenSsl, but still nice). Performing some sending test with it, no more DOWNGRD spotted in the tcpdumps.
Hoping i can consider this maze over ...
Relevant content
- asked 4 months ago
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago