i updated a postfix server, postconf mail_version mail_version = 3.8.1
on lsb_release -rd Description: Fedora release 38 (Thirty Eight) Release: 38 with openssl version OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023) with a system-default openssl config that contains cat /etc/ssl/openssl.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.2 ... and postconf | grep -i tls_proto lmtp_tls_protocols = >=TLSv1.1, <=TLSv1.3 smtp_tls_protocols = >=TLSv1.1, <=TLSv1.3 smtpd_tls_protocols = >=TLSv1.1, <=TLSv1.3 tlsproxy_tls_protocols = $smtpd_tls_protocols tests @ https://www.checktls.com/TestReceiver with SSL Version = TLSv1_2 succeed, as expected. with SSL Version = TLSv1_1 they fail with [000.000] Trying TLS on mx.example.com[192.0.2.1:25] (5) [000.010] Server answered [006.470] <‑‑ 220 mx.example.com ESMTP . All access monitored/recorded. [006.470] We are allowed to connect [006.471] ‑‑> EHLO www12-azure.checktls.com [006.479] <‑‑ 250-mx.example.com 250-PIPELINING 250-SIZE 104857600 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-8BITMIME 250 SMTPUTF8 [006.480] We can use this server [006.480] TLS is an option on this server [006.480] ‑‑> STARTTLS [006.489] <‑‑ 220 2.0.0 Ready to start TLS [006.489] STARTTLS command works on this server [007.511] Cannot convert to SSL (reason: SSL connect attempt failed error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure) [007.512] Note: This same test with Format set to "Debug" may show more [007.512] ‑‑> MAIL FROM:<t...@checktls.com> [007.512] Read failed (reason: did not read) [007.512] ‑‑> QUIT [007.512] Read failed (reason: did not read) i'm attempting to split off a postfix-specific openssl conf, as enabled by v3.8.1's 'two new parameters "tls_config_file" and "tls_config_name".', and enable TLSv1_1 support i create ls -al /etc/postfix/openssl_postfix.cnf -rw-r--r--. 1 root postfix 3.1K Jun 6 07:37 openssl_postfix.cnf cat /etc/postfix/openssl_postfix.cnf openssl_conf = default_conf [default_conf] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] MinProtocol = TLSv1.1 and add to cat /etc/postfix/main.cf + tls_config_file = /etc/postfix/openssl_postfix.cnf + tls_config_name = openssl_conf postconf | grep -i tls_config_ tls_config_file = /etc/postfix/openssl_postfix.cnf tls_config_name = openssl_conf no errors reported on postfix restart; mail still flows but, test @ https://www.checktls.com/TestReceiver with SSL Version TLSv1_1 still fail, as above. what config change/addition is needed to get postfix to use the MinProtocol = TLSv1.1 spec'd in the id'd tls_config_file, and enable TLSv1.1 ? _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org