On 28/03/2024 05:16, Viktor Dukhovni wrote:
On Wed, Mar 27, 2024 at 08:37:12PM -0400, Wietse Venema wrote:
Viktor Dukhovni:
And the server, objects, since it supports TLS 1.3. Now you need to
figure out why the client is signalling fallback.
Would it be feasibe to set up a dedicated submission service on a
different TCP port of IP address) that has TLSv1.3 turned off?
Then there should be no fallback issues.
That's worth a try:
588 inet ... smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_mandatory_protocols=TLSv1.2
...
Limiting to only TLSv1.2 did the job.
With only TLS 1.2 enabled, the client's initial handshake might lead to
a TLS 1.2 session. Though if the Postfix server never sees an initial
handshake attempt, the problem could be that the firewall is blocking
TLS client hello with TLS 1.3 offered (and various 1.3-specific
extensions, in which case, limiting Postfix to 1.2 might not help.
One would have to restrict the client's software to TLS 1.2, or identify
and pacify the firewall.
The firewall is doing a simple port forward, nothing more.
Anyway, it's make sense: the old server worked because it had Centos 7
with max. TLSv1.2
I will use a dedicated smtpd service.
Thank you for your help!
Levi
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
