Sorry, this was a problem with the system-wide cryptographic policies. I
set it to DEFAULT and it works. This is unexpected though, since at least
two TLS1.3 ciphersuites are enabled with FIPS:OSPP and TLS1.3 works with
Nginx (Dovecot is similar to Postfix though and both are fixed with this
crypto setting). Surely, somewhere in how Postfix/Dovecot use OpenSSL is
getting blocked when using FIPS mode. Is that a bad configuration or a bug
perhaps?
Still wondering whether I can enable server-to-server connections
opportunistically over port 465 though, not just 587.
Thanks for the help Matthias!
Kind regards,
Taco de Wolff
On Mon, Jan 22, 2024 at 12:15 PM Taco de Wolff <tacodewo...@gmail.com>
wrote:
> Thanks Matthias, great point. I was sure that should've fixed the problem
> as it should indeed be SHA256. For some weird reason I still can't connect
> with TLS1.3 though. Some additional information while trying to connect
> from localhost with smtpd_log_level=2:
>
> # cat /var/log/maillog
> Jan 22 16:13:11 ares postfix/smtpd[24282]: initializing the server-side
> TLS engine
> Jan 22 16:13:11 ares postfix/smtpd[24282]: connect from localhost[::1]
> Jan 22 16:13:11 ares postfix/smtpd[24282]: setting up TLS connection from
> localhost[::1]
> Jan 22 16:13:11 ares postfix/smtpd[24282]: localhost[::1]: TLS cipher list
> "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
> Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL_accept:before SSL
> initialization
> Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL_accept:before SSL
> initialization
> Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL3 alert write:fatal:protocol
> version
> Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL_accept:error in error
> Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL_accept error from
> localhost[::1]: -1
> Jan 22 16:13:11 ares postfix/smtpd[24282]: warning: TLS library problem:
> error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported
> protocol:ssl/statem/statem_srvr.c:1686:
> Jan 22 16:13:11 ares postfix/smtpd[24282]: lost connection after STARTTLS
> from localhost[::1]
> Jan 22 16:13:11 ares postfix/smtpd[24282]: disconnect from localhost[::1]
> ehlo=1 starttls=0/1 commands=1/2
>
> Same happens for STARTTLS over port 587:
> # openssl s_client -starttls smtp -crlf -tls1_3 -connect localhost:587
> CONNECTED(00000003)
> 139770914207552:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
> protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
>
> Kind regards,
> Taco de Wolff
>
>
> On Mon, Jan 22, 2024 at 11:54 AM Matthias Schneider <
> matthias.schnei...@rmail.de> wrote:
>
>> Hi,
>>
>> i think this has something todo with smtpd_tls_fingerprint_digest:
>>
>> smtpd_tls_fingerprint_digest = ${{$compatibility_level} <level {3.6} ?
>> {md5} : {sha256}}
>>
>> since you have 3.5 its using md5, try to set this value to sha256
>>
>> best regards
>> Matthias
>>
>> ------------------------------
>> *Von: *"Taco de Wolff via Postfix-users" <postfix-users@postfix.org>
>> *An: *"postfix-users" <postfix-users@postfix.org>
>> *Gesendet: *Montag, 22. Januar 2024 15:44:40
>> *Betreff: *[pfx] Enabling TLS1.3 and allow sending over SMTPS/465
>>
>> Hi,
>>
>> Two questions really, one is that I can't enable TLS1.3 whatever I try.
>> Running CentOS8 with OpenSSL v1.1.1k-FIPS and Postfix v3.5.8, I confirm
>> that TLS1.3 ciphers are available:
>>
>> # openssl version
>> OpenSSL 1.1.1k FIPS 25 Mar 2021
>>
>> # postconf -T compile-version
>> OpenSSL 1.1.1k FIPS 25 Mar 2021
>>
>> # postconf -T run-version
>> OpenSSL 1.1.1k FIPS 25 Mar 2021
>>
>> # openssl ciphers -v
>> TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256)
>> Mac=AEAD
>> TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128)
>> Mac=AEAD
>> etc.
>>
>> Relevant configuration for port 465 (implicit TLS):
>> # postconf
>> smtpd_tls_cert_file = /path/to/crt
>> smtpd_tls_ciphers = medium
>> smtpd_tls_exclude_ciphers =
>> smtpd_tls_key_file = /path/to/key
>> smtpd_tls_mandatory_ciphers = medium
>> smtpd_tls_mandatory_exclude_ciphers =
>> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>> tls_medium_cipherlist =
>> TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
>> smtpd_tls_security_level = encrypt
>> smtpd_tls_wrappermode = yes
>>
>> Trying to connect using TLS1.3 on a client that supports both TLS1.3
>> ciphersuites, I get:
>> $ openssl s_client -connect server.hostname:465 -tls1_3
>> Connecting to [IPADDRESS]
>> CONNECTED(00000003)
>> 40879BE5F97F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert
>> protocol version:ssl/record/rec_layer_s3.c:861:SSL alert number 70
>>
>> Has this something to do with FIPS mode? I don't think so because the
>> ciphers show up in OpenSSL. Why is TLS1.3 not getting enabled?
>>
>>
>> Second question came up while fixing a blocked outbound port 25 with my
>> ISP. I've noticed that mail gets sent to DANE enabled servers, I suppose
>> because it uses port 587 using STARTTLS. I wonder if postfix allows sending
>> mail over the recommended implicit TLS port 465 between mail servers? The
>> documentation isn't very clear on the distinction between (implicit) TLS
>> and STARTTLS, but setting smtp_tls_wrappermode=yes would force using
>> implicit TLS (right?), while I want to use opportunistic implicit TLS (with
>> fallback to STARTTLS, it's better than nothing) which can be enforced by
>> DANE enabled servers.
>>
>> Kind regards,
>> Taco de Wolff
>>
>> _______________________________________________
>> Postfix-users mailing list -- postfix-users@postfix.org
>> To unsubscribe send an email to postfix-users-le...@postfix.org
>>
>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
