Several years ago, I had trouble delivering to an old exchange server while trying to enforce TLS. I'm not sure if this applies to your situation, but this worked for me.
In main.cf, I have smtp_tls_policy_maps = hash:/etc/postfix/tls_policy In tls_policy, I added domainname encrypt ciphers=low exclude=MD5:SRP:PSK:aDSS:kECDH:kDH:SEED:IDEA:RC2 On 2020-11-30 1:07 pm, SysAdmin EM wrote: > I use Postfix as an SMTP server, in the last few days I have started to see > an error delivering mail to some servers. > > I am trying to deliver an email to a Server with Microsoft Exchange 2007 and > I receive the following message. > >> Nov 30 15:29:40 smarthost04-ded postfix-out/qmgr[9305]: 56253920A60: >> from=<fvid...@infoauto.com.ar>, size=7238, nrcpt=1 (queue active) Nov >> 30 15:29:40 smarthost04-ded postfix/smtp[9335]: 32FEC920C41: >> to=<fvid...@exchange.infoauto.com.ar>, >> relay=127.0.0.1[127.0.0.1]:10026, delay=0.24, delays=0.1/0/0.04/0.09, >> dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 56253920A60) Nov 30 >> 15:29:40 smarthost04-ded postfix-out/smtp[9312]: 56253920A60: Cannot >> start TLS: handshake failure Nov 30 15:29:40 smarthost04-ded >> postfix-out/smtp[9312]: 56253920A60: >> to=<fvid...@exchange.infoauto.com.ar>, >> relay=exet02.hostmar.com [1][200.58.120.69]:25, delay=0.12, >> delays=0.09/0/0.03/0, dsn=4.7.5, status=deferred (Cannot start TLS: >> handshake failure) > > I have read the documentation but I cannot understand why this error occurs. > > This is my configuration > > ``` > postconf mail_version > mail_version = 3.5.2 > > smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 > smtp_tls_protocols = !SSLv2:!SSLv3 > smtpd_tls_cert_file = /etc/pki/tls/certs/linux.ferozo.com.pem > smtpd_tls_key_file = /etc/pki/tls/private/linux.ferozo.com.key > smtpd_tls_security_level = may > smtpd_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtpd_ssl_cache > smtp_tls_security_level = may > smtp_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtp_ssl_cache > > ``` > > Here I make a connection to the destination server > > ``` > posttls-finger -c -Ldebug "exet02.hostmar.com [1]" > posttls-finger: initializing the client-side TLS engine > posttls-finger: setting up TLS connection to exet02.hostmar.com > [1][200.58.120.69]:25 > posttls-finger: exet02.hostmar.com [1][200.58.120.69]:25: TLS cipher list > "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" > posttls-finger: SSL_connect:before/connect initialization > posttls-finger: SSL_connect:SSLv2/v3 write client hello A > posttls-finger: SSL_connect error to exet02.hostmar.com > [1][200.58.120.69]:25: lost connection > ``` > Any ideas?? > > Regards, Links: ------ [1] http://exet02.hostmar.com
