On Sun, 22 Jan 2012 20:03:09 -0500 (EST), Wietse Venema <wie...@porcupine.org> wrote: > Mark Alan: > > /var/log/mail.log:Jan 22 19:09:29 mx postfix-submission/smtpd[2797]: > > warning: TLS library problem:2797:error:1408A10B:SSL > > routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:771:
> Does your SMTP server accept SSLv3 connections? It seems that it should renegotiate (to TLSv1) a connection from: openssl s_client -crlf -starttls smtp -connect mail.example.com:587 But it does not. It fails with a "Secure Renegotiation IS NOT supported" Although it is capable of a perfectly good TLSv1 connection from: openssl s_client -crlf -starttls smtp -connect mail.example.com:587 -tls # grep -A 9 'submission' /etc/postfix/master.cf submission inet n - - - - smtpd -o syslog_name=postfix-submission -o tls_preempt_cipherlist=yes -o smtpd_tls_mandatory_ciphers=high -o smtpd_tls_mandatory_protocols=TLSv1 -o smtpd_tls_exclude_ciphers=AES128,DES,3DES,CAMELLIA128,MD5,aNULL -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING > Should your SMTP server accept such connections? It should renegotiate and accept an openssl s_client TLS connection. In 'man s_client' we can find: "By default the initial handshake uses a method which should be compatible with all servers and permit them to use SSL v3, SSL v2 or TLS as appropriate. Unfortunately there are a lot of ancient and broken servers in use which cannot handle this technique and will fail to connect." Mark