Re: [courier-users] Courier, PayPal and STARTTLS

Fri, 27 Jan 2017 02:40:01 -0800 

Idézem/Quoting Greg Earle <ea...@isolar.dyndns.org>:

> I was expecting an incoming e-mail from PayPal but noticed these errors
> in my syslog when it tried to deliver it:
>
> Jan 26 01:11:28 isolar courieresmtpd: [ID 702911 mail.info]  
> started,ip=[::ffff:173.0.84.227]
> Jan 26 01:11:28 isolar courieresmtpd: [ID 952582 mail.error]  
> courieresmtpd: STARTTLS failed: couriertls: connect:  
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> Jan 26 01:11:38 isolar courieresmtpd: [ID 702911 mail.info]  
> started,ip=[::ffff:66.211.168.231]
> Jan 26 01:11:39 isolar courieresmtpd: [ID 952582 mail.error]  
> courieresmtpd: STARTTLS failed: couriertls: connect:  
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> Jan 26 01:31:28 isolar courieresmtpd: [ID 702911 mail.info]  
> started,ip=[::ffff:173.0.84.228]
> Jan 26 01:31:29 isolar courieresmtpd: [ID 952582 mail.error]  
> courieresmtpd: STARTTLS failed: couriertls: connect:  
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> Jan 26 01:31:39 isolar courieresmtpd: [ID 702911 mail.info]  
> started,ip=[::ffff:66.211.168.231]
> Jan 26 01:31:39 isolar courieresmtpd: [ID 952582 mail.error]  
> courieresmtpd: STARTTLS failed: couriertls: connect:  
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>
> A Google search showed an old thread on here where Sam responded, saying
> to set TLS_PROTOCOL to "TLS1" in both "esmtpd" and "esmtpd-ssl".  But
> that's what I've already got mine set to:
>
> isolar:1:1100 [/opt/courier/etc] # grep ^TLS_P esmtpd esmtpd-ssl
> esmtpd:TLS_PROTOCOL=TLS1
> esmtpd-ssl:TLS_PROTOCOL=TLS1
>
> So what do I do?  Is there some trickery I can put into smtpaccess/default
> to make them not try to do STARTTLS or something?  Or some other file?
>
> I already have some entries for PayPal in there:
>
> isolar:1:1107 [/opt/courier/etc] # egrep  
> PayPal\|173.0.84\|66.211.168 smtpaccess/default
> # PayPal has their machines crossed
> 66.211.168.231  allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0
> 173.0.84.225    allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0
> 173.0.84.226    allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0
> 173.0.84.227    allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0
> 173.0.84.228    allow,RELAYCLIENT,BOFHCHECKDNS=0,BOFHCHECKHELO=0
>
> I don't want to switch back to TLS_PROTOCOL=SSL23 just to suit PayPal ...

Hello Greg!

In /etc/courier/esmtproutes you may instruct Courier to deliver  
without STARTTLS
txtlocal.co.uk:mx1.emailsrvr.com,25 /SECURITY=REQUIRED

In your case - reception - try setting TLS_CIPHER_LIST according to
https://mozilla.github.io/server-side-tls/ssl-config-generator/ (set  
your OpenSSL version)
and make sure TLS_CERTFILE points to a valid certificate

$ openssl x509 -in $TLS_CERTFILE -noout -text

It does not hurt to have a proper certificate.
https://github.com/veeti/manuale

All the best!


SZÉPE Viktor
https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md
-- 
+36-20-4242498  s...@szepe.net  skype: szepe.viktor
Budapest, III. kerület





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
courier-users mailing list
courier-users@lists.sourceforge.net
Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users

Reply via email to