On 16/02/2021 11:46, Dominic Raferd wrote:
>
> On 16/02/2021 10:28, Jeff Abrahamson wrote:
>>
>> I have a client that's triggering these errors in my logs (and is
>> therefore unable to send even though he can read mail ok):
>>
>>     [...]
>>
>> [...]
>>
>> I'd like to do what I can to verify/understand and not just relax
>> constraints blindly.
>>
>> On my server I've set this, which I thought was permissive enough but
>> not too much:
>>
>>     smtpd_tls_mandatory_protocols = SSLv3, TLSv1
>>
>> [...]
>>
> Those are terrible settings, probably the opposite of what you want.
> For auth clients I have:
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
>
> This refuses anything below TLSv1.2, and works fine with clients
> running Thunderbird on Windows 10.
>
> Thunderbird v78 disables TLSv1.0 and TLSv1.1 by default for good
> safety reasons. This is almost certainly the reason for the errors you
> are seeing - your server is trying to force the client to connect with
> outdated protocols (SSLv3 or TLSv1) and the client refuses.

Thanks.  That was, indeed, the issue, and I'm happy to have discovered
this error in our config.

I'm not sure quite why the TLS string was set thus (recommendation
somewhere that I clearly read with an inverted '!').  But no one was
looking at it recently.

Thanks again.

-- 
Jeff Abrahamson
+33 6 24 40 01 57
+44 7920 594 255

http://p27.eu/jeff/
http://mobilitains.fr/

Reply via email to