Thank you so much for the suggestion to review the crypto setting as this indeed a RedHat based distribution. I confirmed it is set to "default" which means “The default system-wide cryptographic policy level offers secure settings for current threat models. It allows the TLS 1.2 and 1.3 protocols, as well as the IKEv2 and SSH2 protocols. The RSA keys and Diffie-Hellman parameters are accepted if they are at least 2048 bits long.”
Source: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening The system in question was located and is an older than dirt system running a LONG obsolete version of Gentoo. My best guess is that the system was accidentally powered on during a generator test due to a former employee not properly decommissioning the system many years ago. The configuration change that I wrote about (disabling the STARTTLS keyword for the IP address) did allow my Postfix gateways to route email without any issue. I am going to guess the age or configuration of the system is to blame. I have started the official process to pull the plug on the server so it can be wiped and recycled. On Fri, May 5, 2023 at 7:29 PM Viktor Dukhovni via Postfix-users < postfix-users@postfix.org> wrote: > On Fri, May 05, 2023 at 06:55:23PM -0500, E R via Postfix-users wrote: > > > postfix/smtpd[1234567]: SSL_accept error from > xxx.xxx.xxx[yyy.yyy.yyy.yyy]: -1 > > postfix/smtpd[1234567]: warning: TLS library problem: > > error:03000098:digital envelope routines::invalid > digest:crypto/evp/m_sigver.c:343: > > postfix/smtpd[1234567]: warning: TLS library problem: > > error:0A0C0103:SSL routines::internal > error:ssl/statem/statem_srvr.c:2684: > > This problem may be worth further analysis. It appears that OpenSSL has > chosen a signature algorithm (public key algorithm + digest method, e.g. > RSA with SHA256, ...) at the TLS layer, but failed to initialise a > signature context at the crypto API layer. This is odd, because the > known TLS layer combinations should map to known crypto layer > primitives. > > Are you on a RedHat system perhaps? RedHat's latest releases have > turned up crypto policy to "11", and may refuse to, for example, support > RSA with SHA1. The remote client may have one of the really dated TLS > stacks that doesn't know how to do anything better. > > If your system is a RHEL or recent Fedora or similar system, or perhaps > by now other distributions have joined the club, then you'll to find the > relevant crypto policy file and dial it down a bit (on an MTA doing > opportunistic TLS, RSA with SHA1 is better than cleartext). > > Similar considerations may apply not only to MTAs but also to validating > DNS resolvers, and perhaps other applications. > > The various distributions may publish instructions on recommnded ways to > tune the crypto policy. > > If all the above is false lead, then the problem is more mysterious, and > perhaps a PCAP file capturing a failed handshake would be a good next > step. > > You should of course also share ( > https://www.postfix.org/DEBUG_README.html#mail) > > $ postconf -nf > $ postconf -Mf > > without any changes in whitespace, including line breaks. Attaching > these as text files may be simplest if your mail client won't coöperate. > > -- > Viktor. > _______________________________________________ > Postfix-users mailing list -- postfix-users@postfix.org > To unsubscribe send an email to postfix-users-le...@postfix.org >
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
