Am 17.05.2014 12:19, schrieb Thomas Leuxner: > recently I’m seeing STARTTLS issues with a specific site, while the > TLS-handshakes work fine for other sites. The failed handshake manifests in > this excerpt: > May 14 11:07:20 nihlus postfix/smtpd[60685]: warning: TLS library problem: > error:1408A10B:SSL routines:SSL3_GET_CLIENT_HELLO:wrong version > number:s3_srvr.c:960: > > smtpd_tls_protocols = !SSLv2,!SSLv3 > > A quick test with SSL3 enabled allows a TLS connection from this particular > server: > How does one best implement a workaround for this site?
just don't break you configuration and blindly disable SSLv3 and you don't need a workaround for your own mistake the other site don't support anything better than SSLv3 as first step you need to understand that you don't make anything better in case of opportunistic TLS if you disable ciphers and protocols left and right because you obviously missed that it ends in connections from other servers falling back to unencrypted connections if there is no suiteable cipher both sides supporting or as in your case if you disable a protocol the otehr side needs to connect it fails you made that problem by add !SSLv3 solve it the same way by remove that
