On Sun, 22 Jan 2012 20:03:09 -0500 (EST), Wietse Venema
<wie...@porcupine.org> wrote:
> Mark Alan:
> > /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]:
> > warning: TLS library problem:2797:error:1408A10B:SSL
> > routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:771:
> Does your SMTP server accept SSLv3 connections?
It seems that it should renegotiate (to TLSv1) a connection
from:
openssl s_client -crlf -starttls smtp -connect
mail.example.com:587
But it does not. It fails with a "Secure Renegotiation IS NOT supported"
Although it is capable of a perfectly good TLSv1 connection from:
openssl s_client -crlf -starttls smtp -connect
mail.example.com:587 -tls
# grep -A 9 'submission' /etc/postfix/master.cf
submission inet n - - - - smtpd
-o syslog_name=postfix-submission
-o tls_preempt_cipherlist=yes
-o smtpd_tls_mandatory_ciphers=high
-o smtpd_tls_mandatory_protocols=TLSv1
-o
smtpd_tls_exclude_ciphers=AES128,DES,3DES,CAMELLIA128,MD5,aNULL
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
> Should your SMTP server accept such connections?
It should renegotiate and accept an openssl s_client TLS connection.
In 'man s_client' we can find:
"By default the initial handshake uses a method which should be
compatible with all servers and permit them to use SSL v3, SSL v2 or
TLS as appropriate.
Unfortunately there are a lot of ancient and broken servers in use
which cannot handle this technique and will fail to connect."
Mark
