On 2020-07-29 04:12, Larkin Nickle wrote:
Looking at smtpd.conf(5), you should be able to put `smtp ciphers control` (control being the control string of allowed ciphers). The default is "HIGH:!aNULL:!MD5". I think "HIGH:!aNULL:!MD5!TLSv1.3" should be valid in removing TLSv1.3 as far as I can tell according to SSL_CTX_set_cipher_list(3). I haven't actually tested this however, but this might be a useful starting point.
That helped alot. Using TLS 1.2 I was able to actually see something in the tcpdump (see attachment). Apparently my MTA sends a Client Hello (TLS 1.2 protocol) to the peer, including a list of ciphers and several extensions. The peer (buxtehude.debian.org) answers with "Handshake failure", but it doesn't tell what exactly is wrong. See attachment. Any ideas? I am sure you guys are more proficient in reading TLS protocol than I am. Harri