SSL3 alert read:fatal:handshake failure with some hosts

i´m on 0.44 now, and i cannot send to “kabelmail.de”. is there anything i can do?
i thought it is because of missing tls1.3 support, but

Mar 5 10:50:49 box postfix/smtp[57260]: initializing the client-side TLS engine
Mar 5 10:50:49 box postfix/smtp[57260]: setting up TLS connection to mx01.xworks.net[31.25.48.11]:25
Mar 5 10:50:49 box postfix/smtp[57260]: mx01.xworks.net[31.25.48.11]:25: TLS cipher list “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!RC4:!aNULL”
Mar 5 10:50:49 box postfix/smtp[57260]: looking for session smtp&kabelmail.de&mx01.xworks.net&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1 in smtp cache
Mar 5 10:50:49 box postfix/tlsmgr[85965]: lookup smtp session id=smtp&kabelmail.de&mx01.xworks.net&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1
Mar 5 10:50:49 box postfix/smtp[57260]: mx01.xworks.net[31.25.48.11]:25: SNI hostname: mx01.xworks.net
Mar 5 10:50:49 box postfix/smtp[57260]: SSL_connect:before SSL initialization
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect:SSLv3/TLS write client hello
Mar 5 10:50:50 box postfix/smtp[57260]: SSL3 alert read:fatal:handshake failure
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect:error in error
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect error to mx01.xworks.net[31.25.48.11]:25: -1
Mar 5 10:50:50 box postfix/smtp[57260]: warning: TLS library problem: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/ssl/record/rec_layer_s3.c:1528:SSL alert number 40:
Mar 5 10:50:50 box postfix/smtp[57260]: remove session smtp&kabelmail.de&mx01.xworks.net&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1 from client cache
Mar 5 10:50:50 box postfix/tlsmgr[85965]: delete smtp session id=smtp&kabelmail.de&mx01.xworks.net&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1
Mar 5 10:50:50 box postfix/smtp[57260]: E489DA005D: to=s.dittmann@kabelmail.de, relay=mx01.xworks.net[31.25.48.11]:25, delay=55045, delays=55045/0.02/0.21/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Mar 5 10:50:49 box postfix/smtp[57260]: initializing the client-side TLS engine
Mar 5 10:50:49 box postfix/smtp[57260]: setting up TLS connection to mx01.xworks.net[31.25.48.11]:25
Mar 5 10:50:49 box postfix/smtp[57260]: mx01.xworks.net[31.25.48.11]:25: TLS cipher list “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!RC4:!aNULL”
Mar 5 10:50:49 box postfix/smtp[57260]: looking for session smtp&kabelmail.de&mx01.xworks.net&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1 in smtp cache
Mar 5 10:50:49 box postfix/tlsmgr[85965]: lookup smtp session id=smtp&kabelmail.de&mx01.xworks.net&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1
Mar 5 10:50:49 box postfix/smtp[57260]: mx01.xworks.net[31.25.48.11]:25: SNI hostname: mx01.xworks.net
Mar 5 10:50:49 box postfix/smtp[57260]: SSL_connect:before SSL initialization
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect:SSLv3/TLS write client hello
Mar 5 10:50:50 box postfix/smtp[57260]: SSL3 alert read:fatal:handshake failure
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect:error in error
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect error to mx01.xworks.net[31.25.48.11]:25: -1
Mar 5 10:50:50 box postfix/smtp[57260]: warning: TLS library problem: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/ssl/record/rec_layer_s3.c:1528:SSL alert number 40:
Mar 5 10:50:50 box postfix/smtp[57260]: remove session smtp&kabelmail.de&mx01.xworks.net&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1 from client cache
Mar 5 10:50:50 box postfix/tlsmgr[85965]: delete smtp session id=smtp&kabelmail.de&mx01.xworks.net&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1
Mar 5 10:50:50 box postfix/smtp[57260]: E489DA005D: to=*some.username*@kabelmail.de, relay=mx01.xworks.net[31.25.48.11]:25, delay=55045, delays=55045/0.02/0.21/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

root@box:/var/log# openssl s_client -starttls smtp -connect mx01.xworks.net:25
CONNECTED(00000005)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
verify return:1
depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
verify return:1
depth=0 CN = *.xworks.net
verify return:1
---
Certificate chain
 0 s:CN = *.xworks.net
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
 1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHIzCCBgugAwIBAgIQAnc7lCuV0j9UKs1kFyesijANBgkqhkiG9w0BAQsFADBe
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR0wGwYDVQQDExRUaGF3dGUgVExTIFJTQSBDQSBHMTAe
Fw0yMDAxMDYwMDAwMDBaFw0yMjAxMDUxMjAwMDBaMBcxFTATBgNVBAMMDCoueHdv
cmtzLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAORyeEZvF9Bw
SAu3lbED9RIeoBdo4I9EKlSYD+iS3owD6Kw5x4ZC+HzoWTYRCuXFaY9tFoplo7ub
iHM0LKm5X9l7eWCezy0wiTvAkXEqwDPF1LBbwe9ZAxxE7cVvLM03ZKGv3lallHqJ
vX3aEVaSWXDbeSxj7gtjziZ3uMQwmG/UePQxO+e6JIhtkTnsb9JKOZN/T9HARlRB
04T80IlXZFcpODbtV2gjRIDy2oneOeqXMZPZWWXUc4twp73yDQiuBK6lixOTL4lr
DtL5wWR7CVouDmfesYwk5Ow9Y6sA8IU2gTnh4qvvdZtpYn+7FDB4IdLzTcEv6jae
GGJPS/iRAU2cGosnP/o9IdqEi3rGVcks7khlgyaYSYALt1V1pQomcSW/q/trxS+V
iKTf3RbvGU+3QBnKf+PNSsz9Zsdx1Ep9iDD4A/jJqUtUCIrt7C7mNrIXoKKYc2hA
W5ZL31Rkl9FkWDMpfhaG+ZOeSGZZ3u4S9Oe+mE2DB5sEkG4iHtYfiB1O4YoS6fLO
0IOXPqyRP5/635PeLoThu8n/R3n7JRmCEr0XLBVuHD+onZJao8RPH4alxHg7xxy9
k7qrv7s6qf7GWHAShadBjFTipGjeKz/jAbrNwInc5R5mG+aolee5JL5CwUXmKzfx
rNHajvcjkNSLtlmn4ShP/99G2/NvxoQVAgMBAAGjggMiMIIDHjAfBgNVHSMEGDAW
gBSljP4yzOsPLNQZxgi4ACSIXcPFtzAdBgNVHQ4EFgQUAwYkpamw+6HG2RSAdjvJ
fE7/StMwIwYDVR0RBBwwGoIMKi54d29ya3MubmV0ggp4d29ya3MubmV0MA4GA1Ud
DwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwOwYDVR0f
BDQwMjAwoC6gLIYqaHR0cDovL2NkcC50aGF3dGUuY29tL1RoYXd0ZVRMU1JTQUNB
RzEuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAECMCowKAYIKwYBBQUHAgEWHGh0
dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQIBMHAGCCsGAQUFBwEB
BGQwYjAkBggrBgEFBQcwAYYYaHR0cDovL3N0YXR1cy50aGF3dGUuY29tMDoGCCsG
AQUFBzAChi5odHRwOi8vY2FjZXJ0cy50aGF3dGUuY29tL1RoYXd0ZVRMU1JTQUNB
RzEuY3J0MAkGA1UdEwQCMAAwggF+BgorBgEEAdZ5AgQCBIIBbgSCAWoBaAB2AKS5
CZC0GFgUh7sTosxncAo8NZgE+RvfuON3zQ7IDdwQAAABb3p6L/0AAAQDAEcwRQIh
APVMd9RREwyWShS3ofbewGiPZQrpA/5mZzUIr+vCHVXuAiAhEh2DClQf4NlmHrRf
zGTt3qyJP+NgF72Q9xNLKW8x/wB3AId1v+dZfPiMQ5lfvfNu/1aNR1Y2/0q1YMG0
6v9eoIMPAAABb3p6MMUAAAQDAEgwRgIhAN0qNs00yc6VNlWUrwXh5DjYj0L0dla0
RWq79G+vzLi7AiEA9vF3GQA5oo64YXtCyu6HamBre9UlEFmkrWI7PHGInfgAdQC7
2d+8H4pxtZOUI5eqkntHOFeVCqtS6BqQlmQ2jh7RhQAAAW96ei/4AAAEAwBGMEQC
IH6q1BjTYAglaLImgNh/nDO42IUAp6wGhUH/W9wwvoG/AiAwrzgs7lrCKQ/cDRiJ
c4zS+tpwulgQLIiDaLxJl79fSDANBgkqhkiG9w0BAQsFAAOCAQEAnGS9qEmAzvxr
ka3RCZFuAXY9lV7vtGH2B65ooezsWHkmBu7pCf0yhfH99TroYTXsW6PnamtXSc+h
ouEyHUeSt7n8xs1uJlG+7uNtX8xdUWfhpjBVC8AWjKShnMBTw7cl5q1uAmqtlh6o
TErpNifEQ7U+hO6pVjT6fxqTwcd5BqgNoVzl5hCS2GE8Dup2e5WYFwtmiBzaM5pi
Yr2PAbQ4kg5Gn7wZOtGHyYWgTIXfOwQr2ff7kNHcrzWYTk6ad8UAIxTM0M7cGwEb
+XVj1d3Jfq5Himsn3MI0BRrNEsW6ky+swQ2DF0Y1wDjloULNP8Wtt1n9IcZfyUux
L9WfQI1KyA==
-----END CERTIFICATE-----
subject=CN = *.xworks.net

issuer=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1

---
Acceptable client certificate CA names
C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL SHA256 CA
C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA
C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2008 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA - G3
C = US, O = DigiCert Inc, OU = www.digicert.com, CN = Thawte TLS RSA CA G1
Client Certificate Types: RSA fixed DH, DSS fixed DH, RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:0x01+0x01
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 5213 bytes and written 576 bytes
Verification: OK
---
New, SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 641D602BADA350224D091262327710D2F1CF9717C999C585FFB0F6BDF65F8747
    Session-ID-ctx:
    Master-Key: B1CBAAFE6731E268E655A80F904BECFFE68DEDB3E7DD38A653F533271F7FBBD920F22705D0A6587C30928278BC5879A5
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 1 (seconds)
    TLS session ticket:
    0000 - 52 f5 3a 34 d1 00 54 34-0f db c0 17 6e 62 98 73   R.:4..T4....nb.s
    0010 - 3c d5 a5 af bc 6c 70 48-96 30 bc 1e 7b 39 7e 04   <....lpH.0..{9~.
    0020 - 6e ab 08 ef 1e bd 89 e5-ae a6 46 7e c1 fa 52 48   n.........F~..RH
    0030 - 4a 6e ec 44 e2 24 70 6b-b3 f6 55 08 bd 1b 49 21   Jn.D.$pk..U...I!
    0040 - 13 47 e7 ab 63 7a b1 14-c7 c6 15 71 ab c1 1d 09   .G..cz.....q....
    0050 - 5d ca 0e 3b d7 da df a4-7e 72 a7 80 b6 b7 65 ff   ]..;....~r....e.
    0060 - b7 0a 7f 25 51 83 58 5b-06 5d 81 c9 4a 17 db 98   ...%Q.X[.]..J...
    0070 - 1f a3 3e e6 e4 59 e9 c2-4f 64 bb 64 26 55 8e b8   ..>..Y..Od.d&U..
    0080 - 0f da 8f 2f 24 3d 47 ce-79 46 54 71 0c 89 70 4e   .../$=G.yFTq..pN
    0090 - 39 49 41 fe c2 96 26 b2-d3 8d 88 8d 2d 93 cf e5   9IA...&.....-...
    00a0 - 38 df 55 b4 35 9a 7d 51-13 b6 71 4d e5 47 97 0b   8.U.5.}Q..qM.G..

    Start Time: 1583405463
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
250 HELP

this is also mentioned here:

In your case, things did not even reach that point: the server responded with a fatal alert 40 (“handshake_failure”, see the standard). As @dave_thompson_085 points out, this is due to a lack of SNI: this is an extension by which the client documents in its ClientHello message the name of the target server. SNI is needed by some servers because they host several SSL-enabled sites on the same IP address, and need that parameter to know which certificate they should use. The command-line tool openssl s_client can send an SNI with an explicit -servername option.

any ideas, how to fix this for?

can i force to send mail to kabelmail.de with tls1.2 only?
seems, like kabelmail.de (mx01.xworks.net) is the problem server.
https://lists.exim.org/lurker/message/20190109.195254.12dc8424.en.html

here is the formatted log:

Mar 5 10:50:49 box postfix/smtp[57260]: initializing the client-side TLS engine
Mar 5 10:50:49 box postfix/smtp[57260]: setting up TLS connection to [mx01.xworks.net](http://mx01.xworks.net/)[31.25.48.11]:25
Mar 5 10:50:49 box postfix/smtp[57260]: [mx01.xworks.net](http://mx01.xworks.net/)[31.25.48.11]:25: TLS cipher list “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!RC4:!aNULL”
Mar 5 10:50:49 box postfix/smtp[57260]: looking for session smtp&[kabelmail.de ](http://kabelmail.de/)&[mx01.xworks.net](http://mx01.xworks.net/)&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1 in smtp cache
Mar 5 10:50:49 box postfix/tlsmgr[85965]: lookup smtp session id=smtp&[kabelmail.de ](http://kabelmail.de/)&[mx01.xworks.net](http://mx01.xworks.net/)&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1
Mar 5 10:50:49 box postfix/smtp[57260]: [mx01.xworks.net](http://mx01.xworks.net/)[31.25.48.11]:25: SNI hostname: [mx01.xworks.net](http://mx01.xworks.net/)
Mar 5 10:50:49 box postfix/smtp[57260]: SSL_connect:before SSL initialization
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect:SSLv3/TLS write client hello
Mar 5 10:50:50 box postfix/smtp[57260]: SSL3 alert read:fatal:handshake failure
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect:error in error
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect error to [mx01.xworks.net](http://mx01.xworks.net/)[31.25.48.11]:25: -1
Mar 5 10:50:50 box postfix/smtp[57260]: warning: TLS library problem: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/ssl/record/rec_layer_s3.c:1528:SSL alert number 40:
Mar 5 10:50:50 box postfix/smtp[57260]: remove session smtp&[kabelmail.de ](http://kabelmail.de/)&[mx01.xworks.net](http://mx01.xworks.net/)&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1 from client cache
Mar 5 10:50:50 box postfix/tlsmgr[85965]: delete smtp session id=smtp&[kabelmail.de ](http://kabelmail.de/)&[mx01.xworks.net](http://mx01.xworks.net/)&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1
Mar 5 10:50:50 box postfix/smtp[57260]: E489DA005D: to=[s.dittmann@kabelmail.de](mailto:s.dittmann@kabelmail.de), [relay=mx01.xworks.net](http://relay%3Dmx01.xworks.net/)[31.25.48.11]:25, delay=55045, delays=55045/0.02/0.21/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Mar 5 10:50:49 box postfix/smtp[57260]: initializing the client-side TLS engine
Mar 5 10:50:49 box postfix/smtp[57260]: setting up TLS connection to [mx01.xworks.net](http://mx01.xworks.net/)[31.25.48.11]:25
Mar 5 10:50:49 box postfix/smtp[57260]: [mx01.xworks.net](http://mx01.xworks.net/)[31.25.48.11]:25: TLS cipher list “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:
ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!RC4:!aNULL”
Mar 5 10:50:49 box postfix/smtp[57260]: looking for session smtp&[kabelmail.de ](http://kabelmail.de/)&[mx01.xworks.net](http://mx01.xworks.net/)&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1 in smtp cache
Mar 5 10:50:49 box postfix/tlsmgr[85965]: lookup smtp session id=smtp&[kabelmail.de ](http://kabelmail.de/)&[mx01.xworks.net](http://mx01.xworks.net/)&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1
Mar 5 10:50:49 box postfix/smtp[57260]: [mx01.xworks.net](http://mx01.xworks.net/)[31.25.48.11]:25: SNI hostname: [mx01.xworks.net](http://mx01.xworks.net/)
Mar 5 10:50:49 box postfix/smtp[57260]: SSL_connect:before SSL initialization
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect:SSLv3/TLS write client hello
Mar 5 10:50:50 box postfix/smtp[57260]: SSL3 alert read:fatal:handshake failure
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect:error in error
Mar 5 10:50:50 box postfix/smtp[57260]: SSL_connect error to [mx01.xworks.net](http://mx01.xworks.net/)[31.25.48.11]:25: -1
Mar 5 10:50:50 box postfix/smtp[57260]: warning: TLS library problem: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:…/ssl/record/rec_layer_s3.c:1528:SSL alert number 40:
Mar 5 10:50:50 box postfix/smtp[57260]: remove session smtp&[kabelmail.de ](http://kabelmail.de/)&[mx01.xworks.net](http://mx01.xworks.net/)&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1 from client cache
Mar 5 10:50:50 box postfix/tlsmgr[85965]: delete smtp session id=smtp&[kabelmail.de ](http://kabelmail.de/)&[mx01.xworks.net](http://mx01.xworks.net/)&31.25.48.11&&143E96FC25671E1BB246A66CDB0B67592659550F260F92BEDC12141F2D30FEE1
Mar 5 10:50:50 box postfix/smtp[57260]: E489DA005D: to=*some.username*@kabelmail.de, [relay=mx01.xworks.net](http://relay%3Dmx01.xworks.net/)[31.25.48.11]:25, delay=55045, delays=55045/0.02/0.21/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure)

Please edit your original post:

Highlight the block of unformatted log messages, then click the </> button.

I find it almost impossible to parse logs that are not monospace.

i cannot edit it anymore… i´ve pasted it to the other post. sorry!

Is there a solution for this issue? One of my users is hitting the same error when trying to send mail to kabelmail.de. Do I need to enable SNI on my end? If so, how do I do that?

My recommendation would be for users of kabelmail.de to complain loudly to their support, and move to a different provider. For the issue (from a quick glance at this thread) seems to be on their side.

I would be very surprised to learn that MiaB is the only mail server having problems with delivery to and from kabelmail.de. They seem to have lots of issues. Imagine having a business where you never upgrade anything and people still pay you money.

OFF TOPIC:

Heh, like GoDaddy or EIG hosting brands???