I turned on opportunistic TLS last summer I think.  All was fine for a
long time.  btw - I'm currently running the FreeBSD
postfix-current-3.0.20151003,4 port but previously used 2.8.

Somewhat recently someone with a residential cable provider account
complained that he got mail from me but mail from him to me bounced
(soft, so repeated bounce messages).  I was still getting email from
everywhere else, gmail, verizon, corporations, universities, IETF,
lots of places, just no mail from that cable provider and only
recently.  This was with no significant change on my end on the
primary MX and none at all on the secondary MX.

A cable provider is using a useful new SMTP feature.  Can't complain
about that.  It would be nice if it didn't dump mail on the floor.

The logs revealed something about the nature of the problem.  A few of
these sort of messages were found.

Jan 13 17:08:22 mta3 postfix/smtpd[15958]:
   warning: TLS library problem:
   error:1408A0C1:SSL
   routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1411:
Jan 13 17:08:22 mta3 postfix/smtpd[15958]:
   lost connection after STARTTLS
   from resqmta-po-05v.sys.comcast.net[2001:558:fe16:19:96:114:154:164]

The workaround is change may to none:

    smtpd_tls_security_level = none

What I'd like to do is set smtpd_tls_security_level back to "may" and
then somehow set it to "none" if the EHLO domain is comcast.net (oops
the secret is out).

I see we have smtp_tls_policy_maps, but no smtpd_tls_policy_maps.

It seems the place in the code to hook that in would be near where the
smtpd_helo_restrictions get checked.

It would also be nice to have the smptd rough equivalent of
smtp_tls_note_starttls_offer to see when TLS was used and OK if
"smtpd_tls_loglevel = 0" is used, though "smtpd_tls_loglevel = 1" is
close but a bit more verbose than just knowing it was OK.

I think the problem is that All my keys are EC generated using openssl
1.0.2, which was a brand spanking new release in Jan 2015 (yes, last
year, not this year) and comcast recently enable opportunistic TLS but
is using a release that is a year older or more - 1.0.1 or prior.

OTOH- It could also be:

    smtpd_tls_mandatory_ciphers = high

Haven't tried cranking back on that.  Could it be that they compiled
out everything but the fairly weak "medium" ciphers?  Anyone know?

In any case I figured out a way to get more information.  It seems
rather than fall back and use unencrypted, the fallback is to the
secondary MX record.

So now I have "smtpd_tls_security_level = may" and debugging turned
way up for comcast.net on the primary MX and and no debugging but
"smtpd_tls_security_level = none" on the backup MX.  I should get
debugging and a failure on the primary and delivery of mail on the
secondary so no bounced mail.

btw- that wasn't a request to send me a test message.  I'll send to my
friend and ask for a reply if nothing arrives in the next few hours.

Any suggestions?  Any insights on this problem?

Curtis

ps - Somewhere in comcast someone is sitting back happy that they
deployed something new and nothing bad happenned (between them and the
other big guys anyway).  Oh well.

Reply via email to