Re: TLS problem: no shared cipher?

Fri, 15 May 2020 10:09:28 -0700 

On 2020-05-15 12:56:18 -0400, Wietse Venema wrote:
> Roland Freikamp:
> > Hi,
> > 
> > I recently upgraded my mailserver-linux-system, which also upgraded Postfix
> > from 3.4.6 to 3.4.9, and renewed the TLS-certificates (Let's Encrypt).
> > The Postfix-configuration did not change.
> > Since then, some mails could not be delivered to my server, because it
> > seems that the mailservers could not agree on a TLS algorithm:
> > 
> > postfix/smtpd[17880]: connect from ...[...]
> > postfix/smtpd[17880]: SSL_accept error from ...[...]: -1
> > postfix/smtpd[17880]: warning: TLS library problem: error:1417A0C1:SSL 
> > routines:tls_post_process_client_hello:no shared 
> > cipher:ssl/statem/statem_srvr.c:2282:
> > postfix/smtpd[17880]: lost connection after STARTTLS from ...[...]
> > postfix/smtpd[17880]: disconnect from ...[...] ehlo=1 starttls=0/1 
> > commands=1/2
> > 
> > Setting "smtpd_tls_ciphers = low" did not help; the only way to receive
> > the mails was disabling TLS completely ("smtpd_tls_security_level = none").
> > But I would like to enable TLS again.
> > 
> > Do you know what the reason could be and how it could be fixed?
> > (Change in Postfix default configuration? Bad certificate? Bad TLS library?
> > Bad TLS on other mailserver?)
> 
> The crystal ball isn't working. What is the output from:
> postconf -nf | grep tls
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aNULL,eNULL,CAMELLIA
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /var/lib/acme/srv04.k-facility.de/fullchain.pem
smtpd_tls_dh1024_param_file = /var/lib/dhparams/postfix.pem
smtpd_tls_key_file = /var/lib/acme/srv04.k-facility.de/key.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION

> postconf -P | grep tls
submission/inet/smtpd_tls_security_level = encrypt

I've now set "smtpd_tls_loglevel = 2" -- hopefully this can tell me
more.


thanks
Roland

Reply via email to