Hi, recently I’m seeing STARTTLS issues with a specific site, while the TLS-handshakes work fine for other sites. The failed handshake manifests in this excerpt:
May 14 11:07:20 nihlus postfix/smtpd[60685]: connect from sam.dfn-cert.de[193.174.13.196] May 14 11:07:20 nihlus postfix/smtpd[60685]: SSL_accept error from sam.dfn-cert.de[193.174.13.196]: -1 May 14 11:07:20 nihlus postfix/smtpd[60685]: warning: TLS library problem: error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:960: May 14 11:07:20 nihlus postfix/smtpd[60685]: lost connection after STARTTLS from sam.dfn-cert.de[193.174.13.196] May 14 11:07:20 nihlus postfix/smtpd[60685]: disconnect from sam.dfn-cert.de[193.174.13.196] May 14 11:07:20 nihlus postfix/postscreen[60684]: CONNECT from [193.174.13.196]:59867 to [188.138.4.217]:25 May 14 11:07:20 nihlus postfix/postscreen[60684]: WHITELISTED [193.174.13.196]:59867 May 14 11:07:20 nihlus postfix/smtpd[60685]: connect from sam.dfn-cert.de[193.174.13.196] May 14 11:07:20 nihlus postfix/smtpd[60685]: 3gT94m2jg2z1y: client=sam.dfn-cert.de[193.174.13.196] May 14 11:07:20 nihlus postfix/cleanup[60690]: 3gT94m2jg2z1y: message-id=<[email protected]> May 14 11:07:20 nihlus postfix/qmgr[18296]: 3gT94m2jg2z1y: from=<[email protected]>, size=8951, nrcpt=1 (queue active) May 14 11:07:20 nihlus postfix/smtpd[60685]: disconnect from sam.dfn-cert.de[193.174.13.196] % postconf -n | grep tls smtp_tls_loglevel = 1 smtp_tls_security_level = dane smtp_tls_session_cache_database = lmdb:$data_directory/smtp_scache smtpd_tls_cert_file = $config_directory/server.pem smtpd_tls_dh1024_param_file = $config_directory/dh2048.pem smtpd_tls_dh512_param_file = $config_directory/dh512.pem smtpd_tls_eecdh_grade = none smtpd_tls_key_file = /etc/ssl/private/host_domain_tld.key smtpd_tls_loglevel = 1 smtpd_tls_protocols = !SSLv2,!SSLv3 smtpd_tls_received_header = yes smtpd_tls_security_level = may smtpd_tls_session_cache_database = lmdb:$data_directory/smtpd_scache tls_preempt_cipherlist = yes % openssl version OpenSSL 1.0.1e 11 Feb 2013 % postconf mail_version mail_version = 2.11.0 A quick test with SSL3 enabled allows a TLS connection from this particular server: May 14 11:41:31 nihlus postfix/smtpd[60964]: connect from sam.dfn-cert.de[193.174.13.196] May 14 11:41:31 nihlus postfix/smtpd[60964]: Anonymous TLS connection established from sam.dfn-cert.de[193.174.13.196]: SSLv3 with cipher ADH-AES256-SHA (256/256 bits) May 14 11:41:31 nihlus postfix/smtpd[60964]: 3gT9rC3Znvz1y: client=sam.dfn-cert.de[193.174.13.196] May 14 11:41:31 nihlus postfix/cleanup[60971]: 3gT9rC3Znvz1y: message-id=<[email protected]> May 14 11:41:31 nihlus postfix/qmgr[60752]: 3gT9rC3Znvz1y: from=<[email protected]>, size=17656, nrcpt=1 (queue active) How does one best implement a workaround for this site? Looking at TLS policies http://www.postfix.org/TLS_README.html#client_tls_policy these seem to target the client only. Regards Thomas
