On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote:
> What's your suggestion to avoid the following problem?
>
> Sep 22 13:11:22 postfix/smtpd[21000]: connect from
> dragon.trusteddomain.org[208.69.40.156]
> Sep 22 13:11:25 postfix/smtpd[21000]: SSL_accept error from
> dragon.trusteddomain.org[208.69.40.156]: -1
> Sep 22 13:11:25 postfix/smtpd[21000]: warning: TLS library problem:
> error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared
> cipher:ssl/statem/statem_srvr.c:2284:
> Sep 22 13:11:25 postfix/smtpd[21000]: lost connection after STARTTLS from
> dragon.trusteddomain.org[208.69.40.156]
> Sep 22 13:11:25 postfix/smtpd[21000]: disconnect from
> dragon.trusteddomain.org[208.69.40.156] ehlo=1 starttls=0/1 commands=1/2
>
> I only see this warning with this particular client.
You might find another one in your logs now. :-)
$ posttls-finger -g HIGH -o tls_high_cipherlist='DEFAULT:!aECDSA' -p
'!TLSv1.3' mars.unx.se
posttls-finger: Connected to mx.unx.se[2600:3c04::f03c:91ff:feea:d4d]:25
posttls-finger: < 220 phobos.unx.se ESMTP
posttls-finger: > EHLO amnesiac
posttls-finger: < 250-phobos.unx.se
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 10240000
posttls-finger: < 250-ETRN
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250 CHUNKING
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 Ready to start TLS
posttls-finger: SSL_connect error to
mx.unx.se[2600:3c04::f03c:91ff:feea:d4d]:25: -1
posttls-finger: warning: TLS library problem: error:14094410:SSL
routines:ssl3_read_bytes:sslv3 alert handshake
failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40:
> I'm running Postfix 3.6-20200830 compiled with openssl-1.1.1g. Using
> Let's Encrypt certificate.
Specifically, an ECDSA P-256 certificate, but some systems don't (yet?)
support ECDSA. You'd need an additional RSA certificate to interoperate
with their sending MTA's limited STARTTLS cipher/protocol repertoire.
On Tue, Sep 22, 2020 at 05:25:13PM +0200, Markus E. wrote:
> > On Tue, Sep 22, 2020 at 04:37:55PM +0200, Markus E. wrote:
> >>
> >> Is it possible to not announce STARTTLS to some clients?
> >
> > http://www.postfix.org/postconf.5.html#smtpd_discard_ehlo_keyword_address_maps
>
> Thank you!
> Problem circumvented but not solved :)
Or just let them fail to establish STARTTLS, and retry in cleartext,
though based on the MX host of trusteddomains.org (which appears to be
running Sendmail), that might not work out, since IIRC Sendmail does not
fall back to cleartext when STARTTLS is announced, but fails.
The combination of a rather ancient, poorly interoperable, TLS stack
(TLSv1 only or preferred, no ECDSA support) with an inability to retry
without STARTTLS makes their SMTP servers rather brittle. One might
reasonably take the view that the problem is theirs to solve.
https://dilbert.com/strip/1995-06-24
--
Viktor.
