On 2020-07-29 04:12, Larkin Nickle wrote:

Looking at smtpd.conf(5), you should be able to put `smtp ciphers control` (control being the 
control string of allowed ciphers). The default is "HIGH:!aNULL:!MD5". I think 
"HIGH:!aNULL:!MD5!TLSv1.3" should be valid in removing TLSv1.3 as far as I can tell 
according to SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but this might be 
a useful starting point.

That helped alot. Using TLS 1.2 I was able to actually see something
in the tcpdump (see attachment).

Apparently my MTA sends a Client Hello (TLS 1.2 protocol) to the
peer, including a list of ciphers and several extensions. The peer
(buxtehude.debian.org) answers with "Handshake failure", but it
doesn't tell what exactly is wrong. See attachment.

Any ideas? I am sure you guys are more proficient in reading TLS
protocol than I am.


Attachment: buxtehude.debian.org.pcap
Description: application/vnd.tcpdump.pcap

Reply via email to