If I remember correctly it had something to do with Dovecot
On Feb 23, 2022, 2:25 AM, at 2:25 AM, Peter Peltonen <peter.pelto...@gmail.com> wrote: >Hello, > >Okay I now tested:: > >With LEGACY (which I had earlier) I get the >SSL_routines:set_client_ciphesuite:wrong_cipher_returned error in >qmail/send log: > >But with DEFAULT I get Remote_host_said:_250_2.0.0_OK_accept as the >result > >And I did the test without rebooting nor restarting qmail. > >So apparently this command did the trick like Eric suggested: > >update-crypto-policies --set DEFAULT > >Now I wonder if this has some other consequences, what legacy stuff is >now >incompatible...? > >Best, >Peter > > >ma 21. helmik. 2022 klo 17.55 Eric Broch <ebr...@whitehorsetc.com> >kirjoitti: > >> reboot >> >> On 2/21/2022 8:30 AM, Peter Peltonen wrote: >> > Thanks Eric for the update. Here is what I see: >> > >> > [root@mail ~]# update-crypto-policies --show >> > LEGACY >> > [root@mail ~]# update-crypto-policies --set DEFAULT >> > Setting system policy to DEFAULT >> > Note: System-wide crypto policies are applied on application >start-up. >> > It is recommended to restart the system for the change of policies >> > to fully take place. >> > >> > Is restarting qmail enough or should I even reboot? >> > >> > And is there some difference between DEFAULT and FUTURE or are they >the >> same? >> > >> > Best, >> > Peter >> > >> > On Mon, Feb 21, 2022 at 4:39 PM Eric Broch ><ebr...@whitehorsetc.com> >> wrote: >> >> Upon further reflection, at the end of the qt/cos8 install script >there >> >> is a command, 'update-crypto-policies --set LEGACY' intended for >old >> >> email clients I don't wonder if this change between cos7 and cos8 >might >> >> caused the problem. Have a look here: >> >> >> >> >https://www.redhat.com/en/blog/how-customize-crypto-policies-rhel-82 >> >> >> >> If you've change it to 'update-crypto-policies --set DEFAULT' or >> >> 'update-crypto-policies --set FUTURE' and are still having issue >ask >> >> hornet security if we can see the actual smtp transaction. >> >> >> >> In my earlier email I was saying that there was not much >difference >> >> between the old code and the new code for remote delivery and it >was not >> >> immediately obvious why we would be having a problem. >> >> >> >> Eric >> >> >> >> >> >> On 2/21/2022 7:17 AM, Peter Peltonen wrote: >> >>> Hi, >> >>> >> >>> Is there something I can test? I didn't quite understand from >Eric's >> >>> earlier msg what I should try... >> >>> >> >>> One email address producing this error for me is >> >>> supp...@hornetsecurity.com -> If you like Eric, you could try >emailing >> >>> themselves asking for more details (either they reply to you or >you >> >>> will face the same error). If you don't face the same error then >we >> >>> could try figuring out what is different in our setups? >> >>> >> >>> Best, >> >>> Peter >> >>> >> >>> >> >>> >> >>> >> >>> On Sat, Feb 19, 2022 at 6:29 PM Eric Broch ><ebr...@whitehorsetc.com> >> wrote: >> >>>> Looking through the function tls_init() in the code for >qmail-remote.c >> >>>> >> >>>> I don't see much that it could be, they're almost identical >between >> >>>> 2.2.1 and 3.3.5 >> >>>> >> >>>> Will continue looking... >> >>>> >> >>>> On 2/18/2022 1:54 PM, Andreas Galatis wrote: >> >>>>> Hi Finn, >> >>>>> >> >>>>> >> >>>>> I have tested with the tlsserverciphers of my older server, >completed >> >>>>> with some of the ciphers from the new file and my mails came >through. >> >>>>> >> >>>>> >> >>>>> Thanks a lot for your tip, Finn, I didn't find it in the code >> >>>>> >> >>>>> >> >>>>> Andreas >> >>>>> >> >>>>> >> >>>>> Am 18.02.22 um 16:56 schrieb Qmail: >> >>>>>> Hi Andreas. >> >>>>>> >> >>>>>> In qmail You're properly using >/var/qmail/control/tlsclientciphers >> >>>>>> (that are a link to tlcserverciphers) >> >>>>>> >> >>>>>> According to what I read at the Nginx forum, the problem there >is >> >>>>>> because some of the included ciphers are with underscore '_' >and not >> >>>>>> hyphen '-' - I don't know if changing that in the >tlsservercipher >> >>>>>> file will solve the problem. >> >>>>>> >> >>>>>> >> >>>>>> /Finn >> >>>>>> >> >>>>>> Den 18-02-2022 kl. 16:29 skrev Andreas: >> >>>>>>> I cannot find any file where those ciphers could be adjust. >> >>>>>>> Is that compiled in? >> >>>>>>> >> >>>>>>> Me too, I have clients not beeing reachable with the new >server >> >>>>>>> (qmail-1.03-3.3.5), but my old server running >qmail-1.03.2.2.1.qt. >> >>>>>>> Did anyone find a solution? >> >>>>>>> >> >>>>>>> Andreas >> >>>>>>> >> >>>>>>> Am 17.02.22 um 20:28 schrieb Qmail: >> >>>>>>>> Hi. >> >>>>>>>> >> >>>>>>>> Not sure it is related, but I just read in the Nginx forum >that >> >>>>>>>> some have issues (failed (SSL: error:0A0000B9:SSL >routines::no >> >>>>>>>> cipher match)) using Mozillas 'modern' 5.5 ciphers, but >> everything >> >>>>>>>> works with Mozillas 'modern' ciphers 4.0. >> >>>>>>>> (found testing the Nginx config) >> >>>>>>>> >> >>>>>>>> The 5.5 list contains : >> >>>>>>>> >> >>>>>>>> >> >ssl_ciphers'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256'; >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> The 4.0 list contains: >> >>>>>>>> >> >>>>>>>> >> >ssl_ciphers'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> These are matched against the openssl ciphers that are >located on >> >>>>>>>> the server but are more or less same as the tlsclientciphers >used >> >>>>>>>> in qmail. >> >>>>>>>> >> >>>>>>>> Nginx can be setup as a MAIL proxy and therefore may be the >reason >> >>>>>>>> for Your issue ?? >> >>>>>>>> >> >>>>>>>> or maybe it's just a coincidence ? >> >>>>>>>> >> >>>>>>>> Regards, >> >>>>>>>> Finn >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> >> >>>>>>>> Den 17-02-2022 kl. 08:14 skrev Andreas: >> >>>>>>>>> Hi list, >> >>>>>>>>> I have the same failure-mails with some servers, my version >of >> >>>>>>>>> qmail is >> >>>>>>>>> qmail-1.03-3.3.5.qt.md.el8.x86_64 >> >>>>>>>>> >> >>>>>>>>> TLS connect failed: error:1421C105:SSL >> >>>>>>>>> routines:set_client_ciphersuite:wrong >> >>>>>>>>> cipher returnedZConnected to 83.246.65.85 but connection >died. >> >>>>>>>>> >> >>>>>>>>> With my old server (qmail-1.03-2.2.1.qt.el7.x86_64) I can >send >> >>>>>>>>> emails to the same recipients. >> >>>>>>>>> Andreas >> >>>>>>>>> >> >>>>>>>>> Am 15.02.22 um 09:39 schrieb Peter Peltonen: >> >>>>>>>>>> What I have installed is qmail-1.03-3.3.1.qt.md.el8.x86_64 >> >>>>>>>>>> >> >>>>>>>>>> Any reason to update? >> >>>>>>>>>> >> >>>>>>>>>> Best, >> >>>>>>>>>> Peter >> >>>>>>>>>> >> >>>>>>>>>> On Sun, Feb 13, 2022 at 5:15 PM Eric Broch >> >>>>>>>>>> <ebr...@whitehorsetc.com> wrote: >> >>>>>>>>>>> What version of qmail ? >> >>>>>>>>>>> >> >>>>>>>>>>> On 2/12/2022 12:56 PM, Peter Peltonen wrote: >> >>>>>>>>>>>> Finally got an answer from them (see list below). I see >some >> >>>>>>>>>>>> matching >> >>>>>>>>>>>> siphers on their and on my own list. Any idea how I >could >> debug >> >>>>>>>>>>>> this >> >>>>>>>>>>>> more so I can find out why mail is not being delivered >to >> their >> >>>>>>>>>>>> server? >> >>>>>>>>>>>> >> >>>>>>>>>>>> best, >> >>>>>>>>>>>> Peter >> >>>>>>>>>>>> >> >>>>>>>>>>>> " >> >>>>>>>>>>>> OPTON >> >>>>>>>>>>>> All ciphers >> >>>>>>>>>>>> >> >>>>>>>>>>>> DESCRIPTION >> >>>>>>>>>>>> TLS encryption is only possible with ciphers that are >> >>>>>>>>>>>> considered as >> >>>>>>>>>>>> secure by the German Federal Office for Information >Security. >> A >> >>>>>>>>>>>> TLS >> >>>>>>>>>>>> connection is only established if the email server of >the >> >>>>>>>>>>>> communication partner supports one of the following >ciphers: >> >>>>>>>>>>>> >> >>>>>>>>>>>> • ECDHE-RSA-AES256-GCM-SHA384 >> >>>>>>>>>>>> • ECDHE-RSA-AES256-SHA384 >> >>>>>>>>>>>> • ECDHE-RSA-AES256-SHA >> >>>>>>>>>>>> • DHE-RSA-AES256-GCM-SHA384 >> >>>>>>>>>>>> • DHE-RSA-AES256-SHA256 >> >>>>>>>>>>>> • DHE-RSA-AES256-SHA >> >>>>>>>>>>>> • AES256-GCM-SHA384 >> >>>>>>>>>>>> • AES256-SHA256 >> >>>>>>>>>>>> • AES256-SHA >> >>>>>>>>>>>> • ECDHE-RSA-DES-CBC3-SHA >> >>>>>>>>>>>> • EDH-RSA-DES-CBC3-SHA >> >>>>>>>>>>>> • DES-CBC3-SHA >> >>>>>>>>>>>> >> >>>>>>>>>>>> OPTION >> >>>>>>>>>>>> Secure ciphers >> >>>>>>>>>>>> >> >>>>>>>>>>>> DESCRIPTION >> >>>>>>>>>>>> Secure ciphers TLS encryption is only possible with >ciphers >> >>>>>>>>>>>> that are >> >>>>>>>>>>>> considered as secure by the German Federal Office for >> Information >> >>>>>>>>>>>> Security. A TLS connection is only established if the >email >> >>>>>>>>>>>> server of the communication partner supports one of the >> >>>>>>>>>>>> following ciphers: >> >>>>>>>>>>>> >> >>>>>>>>>>>> • ECDHE-RSA-AES256-GCM-SHA384 >> >>>>>>>>>>>> • ECDHE-RSA-AES256-SHA384 >> >>>>>>>>>>>> • DHE-RSA-AES256-GCM-SHA384 >> >>>>>>>>>>>> • DHE-RSA-AES256-SHA256 >> >>>>>>>>>>>> • ECDHE-RSA-AES128-GCM-SHA256 >> >>>>>>>>>>>> • ECDHE-RSA-AES128-SHA256 >> >>>>>>>>>>>> • DHE-RSA-AES128-GCM-SHA256 >> >>>>>>>>>>>> • DHE-RSA-AES128-SHA256 >> >>>>>>>>>>>> " >> >>>>>>>>>>>> >> >>>>>>>>>>>> >> >>>>>>>>>>>> On Mon, Feb 7, 2022 at 4:08 PM Eric Broch >> >>>>>>>>>>>> <ebr...@whitehorsetc.com> wrote: >> >>>>>>>>>>>>> Is there a way to contact them and find out what >obscure B.S. >> >>>>>>>>>>>>> they want? >> >>>>>>>>>>>>> >> >>>>>>>>>>>>> On 2/7/2022 12:26 AM, Peter Peltonen wrote: >> >>>>>>>>>>>>>> When trying to deliver email to a domain that is using >spam >> >>>>>>>>>>>>>> protection >> >>>>>>>>>>>>>> from antispameurope.com I get the following error: >> >>>>>>>>>>>>>> >> >>>>>>>>>>>>>> deferral: >> >>>>>>>>>>>>>> >> >TLS_connect_failed:_error:1421C105:SSL_routines:set_client_ciphersuite:wrong_cipher_returnedZConnected_to_83.246.65.85_but_connection_died._(#4.4.2)/ >> >>>>>>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>>>>>> So am I missing something here: >> >>>>>>>>>>>>>> >> >>>>>>>>>>>>>> [root@mail ~]# cat /var/qmail/control/tlsclientciphers >> >>>>>>>>>>>>>> >> >TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:ADH-SEED-SHA:SEED-SHA:IDEA-CBC-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-CCM8:ECDHE-ECDSA-AES256-CCM:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ECDSA-ARIA256-GCM-SHA384:ECDHE-ARIA256-GCM-SHA384:DHE-DSS-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ADH-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-CCM8:ECDHE-ECDSA-AES128-CCM:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM:ECDHE-ECDSA-ARIA128-GCM-SHA256:ECDHE-ARIA128-GCM-SHA256:DHE-DSS-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256:ADH-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:DHE-RSA-CAMELLIA256-SHA256:DHE-DSS-CAMELLIA256-SHA256:ADH-AES256-SHA256:ADH-CAMELLIA256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-CAMELLIA128-SHA256:DHE-RSA-CAMELLIA128-SHA256:DHE-DSS-CAMELLIA128-SHA256:ADH-AES128-SHA256:ADH-CAMELLIA128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:AECDH-AES256-SHA:ADH-AES256-SHA:ADH-CAMELLIA256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:AECDH-AES128-SHA:ADH-AES128-SHA:ADH-CAMELLIA128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:DHE-PSK-AES256-CCM8:DHE-PSK-AES256-CCM:RSA-PSK-ARIA256-GCM-SHA384:DHE-PSK-ARIA256-GCM-SHA384:AES256-GCM-SHA384:AES256-CCM8:AES256-CCM:ARIA256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:PSK-AES256-CCM8:PSK-AES256-CCM:PSK-ARIA256-GCM-SHA384:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-CCM8:DHE-PSK-AES128-CCM:RSA-PSK-ARIA128-GCM-SHA256:DHE-PSK-ARIA128-GCM-SHA256:AES128-GCM-SHA256:AES128-CCM8:AES128-CCM:ARIA128-GCM-SHA256:PSK-AES128-GCM-SHA256:PSK-AES128-CCM8:PSK-AES128-CCM:PSK-ARIA128-GCM-SHA256:AES256-SHA256:CAMELLIA256-SHA256:AES128-SHA256:CAMELLIA128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:ECDHE-PSK-CAMELLIA256-SHA384:RSA-PSK-CAMELLIA256-SHA384:DHE-PSK-CAMELLIA256-SHA384:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:PSK-CAMELLIA256-SHA384:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:ECDHE-PSK-CAMELLIA128-SHA256:RSA-PSK-CAMELLIA128-SHA256:DHE-PSK-CAMELLIA128-SHA256:AES128-SHA:CAMELLIA128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHA:PSK-CAMELLIA128-SHA256 >> >>>>>>>>>>>>>> >> >>>>>>>>>>>>>> >> >>>>>>>>>>>>>> ? >> >>>>>>>>>>>>>> >> >>>>>>>>>>>>>> Best, >> >>>>>>>>>>>>>> Peter >> >>>>>>>>>>>>>> >> >>>>>>>>>>>>>> >> --------------------------------------------------------------------- >> >>>>>>>>>>>>>> >> >>>>>>>>>>>>>> To unsubscribe, e-mail: >> >>>>>>>>>>>>>> qmailtoaster-list-unsubscr...@qmailtoaster.com >> >>>>>>>>>>>>>> For additional commands, e-mail: >> >>>>>>>>>>>>>> qmailtoaster-list-h...@qmailtoaster.com >> >>>>>>>>>>>>>> >> >>>>>>>>>>>> >> --------------------------------------------------------------------- >> >>>>>>>>>>>> >> >>>>>>>>>>>> To unsubscribe, e-mail: >> >>>>>>>>>>>> qmailtoaster-list-unsubscr...@qmailtoaster.com >> >>>>>>>>>>>> For additional commands, e-mail: >> >>>>>>>>>>>> qmailtoaster-list-h...@qmailtoaster.com >> >>>>>>>>>>>> >> >>>>>>>>>> >> --------------------------------------------------------------------- >> >>>>>>>>>> >> >>>>>>>>>> To unsubscribe, e-mail: >> >>>>>>>>>> qmailtoaster-list-unsubscr...@qmailtoaster.com >> >>>>>>>>>> For additional commands, e-mail: >> >>>>>>>>>> qmailtoaster-list-h...@qmailtoaster.com >> >>>>>>>>>> >> >>> >--------------------------------------------------------------------- >> >>> To unsubscribe, e-mail: >qmailtoaster-list-unsubscr...@qmailtoaster.com >> >>> For additional commands, e-mail: >> qmailtoaster-list-h...@qmailtoaster.com >> >>> >> > >--------------------------------------------------------------------- >> > To unsubscribe, e-mail: >qmailtoaster-list-unsubscr...@qmailtoaster.com >> > For additional commands, e-mail: >qmailtoaster-list-h...@qmailtoaster.com >> > >>