On Thu, Jun 29, 2023 at 03:30:22PM +0300, Nikolaos Milas via Postfix-users wrote:
> Jun 29 06:07:51 mailgw1 postfix/smtpd[471355]: warning: > hostname chg.server1.ideacentral.com > does not resolve to address 173.236.106.135 > > 1. Is it normal/acceptable to have hostnames not resolving to the IP > Address? Should we drop such connections? If so, how? This is common enough to largely ignore. > Jun 29 06:07:54 mailgw1 postfix/postscreen[469582]: warning: dnsblog > reply timeout 10s for dnsbl.sorbs.net Perhaps you're using sorbs via an open resolver? If this error is frequent You should either discontinue use of the SORBS list, or figure out how to address the timeouts. > Jun 29 06:15:15 mailgw1 postfix/smtpd[471389]: warning: > TLS library problem: error:14209102:SSL routines: > tls_early_post_process_client_hello: > unsupported protocol:ssl/statem/statem_srvr.c:1686: > 2. The TLS errors are caused by clients with older TLS protocols (as we > allow only TLS 1.2 or 1.3) or we should investigate some OpenSSL library > misbehavior? In any case, which TLS settings would you advise from > experience? For some hard to fathom reason you've elected to prefer unencrypted SMTP over adequately encrypted TLS 1.0. There is no "misbehaviour", you've disabled TLS 1.0 and so OpenSSL does not support the protocol just as you asked. > My question: How should I best configure postfix to get rid of these > warnings? Don't disable TLS 1.0 and 1.1: smtpd_tls_protocols = >=TLSv1 as documented, make sure to leave no spaces after ">=". > [root@mailgw1 postfix]# postconf -n > [...] > smtpd_tls_protocols = >=TLSv1.2 There's your mistake. I have: $ postconf -n | grep smtpd_tls_ smtpd_tls_auth_only = yes smtpd_tls_chain_files = /usr/local/etc/letsencrypt/live/... smtpd_tls_dh1024_param_file = auto smtpd_tls_loglevel = 1 smtpd_tls_received_header = yes smtpd_tls_security_level = may -- Viktor. _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org