On Tue, Oct 15, 2013 at 12:21:28PM +0200, Michael B?ker wrote: > > Oct 15 02:30:04 asterix postfix/smtp[4458]: warning: TLS library problem: > > 4458:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > > number:s3_pkt.c:337: > > > > Oct 15 02:30:04 asterix postfix/smtp[4458]: 42E021A0F44: to=<mb@michael- > > bueker.de>, relay=smtp-auth.foo.de[999.169.5.134]:587, delay=0.51, > > delays=0.08/0.03/0.4/0, dsn=4.4.2, status=deferred (lost connection with > > smtp-auth.foo.de[999.169.5.134] while performing the EHLO handshake) > > Now, I _think_ the tls_policy entry is correct, because if I set if to > something absurd like "protocols=SSLv2", the connection fails predictably:
Note the "while performing the EHLO handshake" detail. This means the TLS handshake succeeded, but the subsequent SMTP commands failed inside the encrypted channel. Fortunately, your over-obfuscation of the target server left me with only 224 choices of the target IP address. The server in question is a Microsoft Exchange server with buggy 3DES ciphersuites (IIRC found in Windows XP, and perhaps Windows Server 2003). Add "exclude=3DES" to the entry table for this server, and you'll likely be fine. You probably don't need to tweak the protocols. $ posttls-finger -o 'tls_medium_cipherlist=aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:!3DES:@STRENGTH' "[smtp-auth.foo.de]:587" posttls-finger: Connected to smtp-auth.foo.de[999.169.5.134]:587 posttls-finger: < 220 adxf3.win.foo.de Microsoft ESMTP MAIL Service, Version: 6.0.3790.4675 ready at Tue, 15 Oct 2013 16:43:11 +0200 posttls-finger: > EHLO central-dogma.lan posttls-finger: < 250-adxf3.win.foo.de Hello [999.169.40.26] posttls-finger: < 250-TURN posttls-finger: < 250-SIZE posttls-finger: < 250-ETRN posttls-finger: < 250-PIPELINING posttls-finger: < 250-DSN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8bitmime posttls-finger: < 250-BINARYMIME posttls-finger: < 250-CHUNKING posttls-finger: < 250-VRFY posttls-finger: < 250-TLS posttls-finger: < 250-STARTTLS posttls-finger: < 250-X-EXPS GSSAPI NTLM posttls-finger: < 250-AUTH GSSAPI NTLM posttls-finger: < 250-X-LINK2STATE posttls-finger: < 250-XEXCH50 posttls-finger: < 250 OK posttls-finger: > STARTTLS posttls-finger: < 220 2.0.0 SMTP server ready posttls-finger: smtp-auth.foo.de[999.169.5.134]:587: Matched subjectAltName: smtp-auth.foo.de posttls-finger: smtp-auth.foo.de[999.169.5.134]:587 CommonName smtp-auth.foo.de posttls-finger: certificate verification failed for smtp-auth.foo.de[999.169.5.134]:587: untrusted issuer /C=DE/O=Deutsche Telekom AG/OU=T-TeleSec Trust Center/CN=Deutsche Telekom Root CA 2 posttls-finger: smtp-auth.foo.de[999.169.5.134]:587: subject_CN=smtp-auth.foo.de, issuer_CN=FOO CA - G02, fingerprint=21:B2:6F:D3:19:96:C7:DE:73:A4:0B:70:FA:6B:4C:B1:BC:F1:97:CE, pkey_fingerprint=CC:50:03:5F:14:AA:4B:AC:46:B4:C0:0A:D2:9C:B1:77:E8:DD:0F:10 posttls-finger: Untrusted TLS connection established to smtp-auth.foo.de[999.169.5.134]:587: TLSv1 with cipher RC4-MD5 (128/128 bits) posttls-finger: > EHLO central-dogma.lan posttls-finger: < 250-adxf3.win.foo.de Hello [999.169.40.26] posttls-finger: < 250-TURN posttls-finger: < 250-SIZE posttls-finger: < 250-ETRN posttls-finger: < 250-PIPELINING posttls-finger: < 250-DSN posttls-finger: < 250-ENHANCEDSTATUSCODES posttls-finger: < 250-8bitmime posttls-finger: < 250-BINARYMIME posttls-finger: < 250-CHUNKING posttls-finger: < 250-VRFY posttls-finger: < 250-X-EXPS GSSAPI NTLM LOGIN posttls-finger: < 250-X-EXPS=LOGIN posttls-finger: < 250-AUTH GSSAPI NTLM LOGIN posttls-finger: < 250-AUTH=LOGIN posttls-finger: < 250-X-LINK2STATE posttls-finger: < 250-XEXCH50 posttls-finger: < 250 OK posttls-finger: > QUIT posttls-finger: < 221 2.0.0 adxf3.win.foo.de Service closing transmission channel I'd like to suggest that you find a less broken email provider. -- Viktor.