i updated a postfix server,
postconf mail_version
mail_version = 3.8.1
on
lsb_release -rd
Description: Fedora release 38 (Thirty Eight)
Release: 38
with
openssl version
OpenSSL 3.0.9 30 May 2023 (Library: OpenSSL 3.0.9 30 May 2023)
with a system-default openssl config that contains
cat /etc/ssl/openssl.cnf
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.2
...
and
postconf | grep -i tls_proto
lmtp_tls_protocols = >=TLSv1.1, <=TLSv1.3
smtp_tls_protocols = >=TLSv1.1, <=TLSv1.3
smtpd_tls_protocols = >=TLSv1.1, <=TLSv1.3
tlsproxy_tls_protocols = $smtpd_tls_protocols
tests @
https://www.checktls.com/TestReceiver
with
SSL Version = TLSv1_2
succeed, as expected.
with
SSL Version = TLSv1_1
they fail with
[000.000] Trying TLS on mx.example.com[192.0.2.1:25] (5)
[000.010] Server answered
[006.470] <‑‑ 220 mx.example.com ESMTP . All access
monitored/recorded.
[006.470] We are allowed to connect
[006.471] ‑‑> EHLO www12-azure.checktls.com
[006.479] <‑‑ 250-mx.example.com
250-PIPELINING
250-SIZE 104857600
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 SMTPUTF8
[006.480] We can use this server
[006.480] TLS is an option on this server
[006.480] ‑‑> STARTTLS
[006.489] <‑‑ 220 2.0.0 Ready to start TLS
[006.489] STARTTLS command works on this server
[007.511] Cannot convert to SSL (reason: SSL connect
attempt failed error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure)
[007.512] Note: This same test with Format set to "Debug"
may show more
[007.512] ‑‑> MAIL FROM:<[email protected]>
[007.512] Read failed (reason: did not read)
[007.512] ‑‑> QUIT
[007.512] Read failed (reason: did not read)
i'm attempting to split off a postfix-specific openssl conf, as enabled by v3.8.1's 'two new
parameters "tls_config_file" and "tls_config_name".', and enable TLSv1_1 support
i create
ls -al /etc/postfix/openssl_postfix.cnf
-rw-r--r--. 1 root postfix 3.1K Jun 6 07:37 openssl_postfix.cnf
cat /etc/postfix/openssl_postfix.cnf
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = system_default_sect
[system_default_sect]
MinProtocol = TLSv1.1
and add to
cat /etc/postfix/main.cf
+ tls_config_file = /etc/postfix/openssl_postfix.cnf
+ tls_config_name = openssl_conf
postconf | grep -i tls_config_
tls_config_file = /etc/postfix/openssl_postfix.cnf
tls_config_name = openssl_conf
no errors reported on postfix restart; mail still flows
but, test @
https://www.checktls.com/TestReceiver
with
SSL Version TLSv1_1
still fail, as above.
what config change/addition is needed to get postfix to use the
MinProtocol = TLSv1.1
spec'd in the id'd tls_config_file, and enable TLSv1.1 ?
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
