On Thu, Jun 29, 2023 at 03:30:22PM +0300, Nikolaos Milas via Postfix-users
wrote:
> Jun 29 06:07:51 mailgw1 postfix/smtpd[471355]: warning:
> hostname chg.server1.ideacentral.com
> does not resolve to address 173.236.106.135
>
> 1. Is it normal/acceptable to have hostnames not resolving to the IP
> Address? Should we drop such connections? If so, how?
This is common enough to largely ignore.
> Jun 29 06:07:54 mailgw1 postfix/postscreen[469582]: warning: dnsblog
> reply timeout 10s for dnsbl.sorbs.net
Perhaps you're using sorbs via an open resolver? If this error is
frequent You should either discontinue use of the SORBS list, or
figure out how to address the timeouts.
> Jun 29 06:15:15 mailgw1 postfix/smtpd[471389]: warning:
> TLS library problem: error:14209102:SSL routines:
> tls_early_post_process_client_hello:
> unsupported protocol:ssl/statem/statem_srvr.c:1686:
> 2. The TLS errors are caused by clients with older TLS protocols (as we
> allow only TLS 1.2 or 1.3) or we should investigate some OpenSSL library
> misbehavior? In any case, which TLS settings would you advise from
> experience?
For some hard to fathom reason you've elected to prefer unencrypted SMTP
over adequately encrypted TLS 1.0. There is no "misbehaviour", you've
disabled TLS 1.0 and so OpenSSL does not support the protocol just as
you asked.
> My question: How should I best configure postfix to get rid of these
> warnings?
Don't disable TLS 1.0 and 1.1:
smtpd_tls_protocols = >=TLSv1
as documented, make sure to leave no spaces after ">=".
> [root@mailgw1 postfix]# postconf -n
> [...]
> smtpd_tls_protocols = >=TLSv1.2
There's your mistake. I have:
$ postconf -n | grep smtpd_tls_
smtpd_tls_auth_only = yes
smtpd_tls_chain_files = /usr/local/etc/letsencrypt/live/...
smtpd_tls_dh1024_param_file = auto
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
