> On 15 May 2020, at 10:18, Roland Freikamp <rk-l...@simple-is-better.org>
> wrote:
>
> Hi,
>
> I recently upgraded my mailserver-linux-system, which also upgraded Postfix
> from 3.4.6 to 3.4.9, and renewed the TLS-certificates (Let's Encrypt).
> The Postfix-configuration did not change.
> Since then, some mails could not be delivered to my server, because it
> seems that the mailservers could not agree on a TLS algorithm:
>
> postfix/smtpd[17880]: connect from ...[...]
> postfix/smtpd[17880]: SSL_accept error from ...[...]: -1
> postfix/smtpd[17880]: warning: TLS library problem: error:1417A0C1:SSL
> routines:tls_post_process_client_hello:no shared
> cipher:ssl/statem/statem_srvr.c:2282:
> postfix/smtpd[17880]: lost connection after STARTTLS from ...[...]
> postfix/smtpd[17880]: disconnect from ...[...] ehlo=1 starttls=0/1
> commands=1/2
Are you requiring that mailservers connect only with TLS?
That is generally not recommended.
I suspect you are, and that you new upgrade has removed support for the EOLed
TLSv1.0 and TLSv1.1.
Normally, a failed negotiation of TLS on smtpd will result in the connection
continuing with no encryption.
You should probably have:
smtpd_tls_security_level = may
> Setting "smtpd_tls_ciphers = low”
Do not do that, as a general rule.
> did not help; the only way to receive
> the mails was disabling TLS completely ("smtpd_tls_security_level = none").
> But I would like to enable TLS again.
Then your setting should almost certainly be ‘may’ if you want to receive mail
from this server.
> Do you know what the reason could be and how it could be fixed?
You made this a bit harder my eliding most of the log lines, but the failure to
establish starttls (starttls=0/1) indicates a failure to negotiate acceptable
security between the machines.
The first question is, is the server in question one you WANT to receive mail
from? It is pretty rare for me to have a TLS warning anymore, and it is almost
always a domain I’ve never heard of. (Today it is starttls-everywhere.org, a 2
year old domain I’ve never heard of). Most of these warnings in my logs are
servers that look like spammer domains.
# bzgrep "SSL_accept error from" /var/log/mail.log | awk '{print $9}' | sort -u
171-103-165-86.static.asianet.co.th[171.103.165.86]:
mx-ll-183.88.243-6.dynamic.3bb.co.th[183.88.243.6]:
starttls-everywhere.org[178.128.188.40]:
unknown[102.46.179.30]:
unknown[116.107.125.225]:
unknown[14.187.41.12]:
And then thousands of “unknown” following.
I don’t care about any of these senders.
> (Change in Postfix default configuration? Bad certificate? Bad TLS library?
> Bad TLS on other mailserver?)
Spammer scum, most likely.
--
Beware of geeks bearing .GIF’s
