On Sun, Jul 19, 2020 at 06:33:10AM -0600, @lbutlr wrote:
> On 18 Jul 2020, at 07:25, ratatouille <ratatoui...@bitclusive.de> wrote:
> > mail_version = 3.3.1
>
> This is quite old. The current version of 3.3.x is 3.3.12.
Sure, but some packaged distributions tend to backport fixes without
bumping the version number, so we don't actually know that is materially
different from 3.3.12.
> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]:
> > p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLS cipher list
> > "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
>
> I don't see a line like this in my logs. Are you setting a custom set
> of ciphers? This looks like tls_medium_cipherlist.
You (sensibly) don't have verbose logging enabled.
> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: SSL_accept error from
> > p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: -1
> > Jul 18 14:55:12 dualbit1 postfix/smtpd[493943]: warning: TLS library
> > problem: error:14209102:SSL
> > routines:tls_early_post_process_client_hello:unsupported
> > protocol:ssl/statem/statem_srvr.c:1661:
The client TLS hello offered either a protocol that's too new, too old,
or was just garbled.
> But the basic answer is your android device and your mail server
> cannot find a common secure protocol. This is normally caused by you
> restricting security protocols or, less commonly, by a client that is
> trying to downgrade security. I am pretty sure that you need to update
> you postfix and your openssl (or whatever package you are using for
> TLS).
This is unlikely to be necessary. Please avoid wild guesses.
> I am suspicious of your "SSL3" in there as that should absolutely not
> be used, and the default in postfix is
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
As already pointed out, this is a red herring.
On Sun, Jul 19, 2020 at 10:48:00PM +0200, ratatouille wrote:
> This is what I see with claws-mail MUA, smtpd_tls_loglevel = 1
>
> Jul 19 22:41:37 dualbit1 postfix/smtpd[834008]: Anonymous TLS connection
> established from p57b62c8e.dip0.t-ipconnect.de[87.182.44.142]: TLSv1.2 with
> cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Your server supports TLS 1.2.
> This android version is old, it's version 4.0.3. I had problems connecting to
> dovecot
> too and found out android is using TLSv1.
This is quite possibly the issue, and even if Postfix is not explicitly
restricting the TLS version to >= 1.2, your system-wide "openssl.cnf"
file may well be doing that. Look for "MinProtocol" in that file:
$ openssl version -d
OPENSSLDIR: "/etc/ssl"
$ ls /etc/ssl/openssl.cnf
/etc/ssl/openssl.cnf
> > I am suspicious of your "SSL3" in there as that should absolutely not be
> > used, and the default in postfix is
> >
> > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
>
> Interestingly I don't have this problem with android connecting to a
> postfixserver 2.11.11.
That may have been on a system with a different /etc/ssl/openssl.cnf
(perhaps a past version of that file on the same machine).
--
Viktor.
