Hi Finn,
I have tested with the tlsserverciphers of my older server, completed
with some of the ciphers from the new file and my mails came through.
Thanks a lot for your tip, Finn, I didn't find it in the code
Andreas
Am 18.02.22 um 16:56 schrieb Qmail:
Hi Andreas.
In qmail You're properly using /var/qmail/control/tlsclientciphers
(that are a link to tlcserverciphers)
According to what I read at the Nginx forum, the problem there is
because some of the included ciphers are with underscore '_' and not
hyphen '-' - I don't know if changing that in the tlsservercipher file
will solve the problem.
/Finn
Den 18-02-2022 kl. 16:29 skrev Andreas:
I cannot find any file where those ciphers could be adjust.
Is that compiled in?
Me too, I have clients not beeing reachable with the new server
(qmail-1.03-3.3.5), but my old server running qmail-1.03.2.2.1.qt.
Did anyone find a solution?
Andreas
Am 17.02.22 um 20:28 schrieb Qmail:
Hi.
Not sure it is related, but I just read in the Nginx forum that some
have issues (failed (SSL: error:0AB9:SSL routines::no cipher
match)) using Mozillas 'modern' 5.5 ciphers, but everything works
with Mozillas 'modern' ciphers 4.0.
(found testing the Nginx config)
The 5.5 list contains :
ssl_ciphers'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256';
The 4.0 list contains:
ssl_ciphers'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
These are matched against the openssl ciphers that are located on
the server but are more or less same as the tlsclientciphers used in
qmail.
Nginx can be setup as a MAIL proxy and therefore may be the reason
for Your issue ??
or maybe it's just a coincidence ?
Regards,
Finn
Den 17-02-2022 kl. 08:14 skrev Andreas:
Hi list,
I have the same failure-mails with some servers, my version of
qmail is
qmail-1.03-3.3.5.qt.md.el8.x86_64
TLS connect failed: error:1421C105:SSL
routines:set_client_ciphersuite:wrong
cipher returnedZConnected to 83.246.65.85 but connection died.
With my old server (qmail-1.03-2.2.1.qt.el7.x86_64) I can send
emails to the same recipients.
Andreas
Am 15.02.22 um 09:39 schrieb Peter Peltonen:
What I have installed is qmail-1.03-3.3.1.qt.md.el8.x86_64
Any reason to update?
Best,
Peter
On Sun, Feb 13, 2022 at 5:15 PM Eric Broch
wrote:
What version of qmail ?
On 2/12/2022 12:56 PM, Peter Peltonen wrote:
Finally got an answer from them (see list below). I see some
matching
siphers on their and on my own list. Any idea how I could debug
this
more so I can find out why mail is not being delivered to their
server?
best,
Peter
"
OPTON
All ciphers
DESCRIPTION
TLS encryption is only possible with ciphers that are considered as
secure by the German Federal Office for Information Security. A TLS
connection is only established if the email server of the
communication partner supports one of the following ciphers:
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA
• DHE-RSA-AES256-GCM-SHA384
• DHE-RSA-AES256-SHA256
• DHE-RSA-AES256-SHA
• AES256-GCM-SHA384
• AES256-SHA256
• AES256-SHA
• ECDHE-RSA-DES-CBC3-SHA
• EDH-RSA-DES-CBC3-SHA
• DES-CBC3-SHA
OPTION
Secure ciphers
DESCRIPTION
Secure ciphers TLS encryption is only possible with ciphers that
are
considered as secure by the German Federal Office for Information
Security. A TLS connection is only established if the email
server of the communication partner supports one of the
following ciphers:
• ECDHE-RSA-AES256-GCM-SHA384
• ECDHE-RSA-AES256-SHA384
• DHE-RSA-AES256-GCM-SHA384
• DHE-RSA-AES256-SHA256
• ECDHE-RSA-AES128-GCM-SHA256
• ECDHE-RSA-AES128-SHA256
• DHE-RSA-AES128-GCM-SHA256
• DHE-RSA-AES128-SHA256
"
On Mon, Feb 7, 2022 at 4:08 PM Eric Broch
wrote:
Is there a way to contact them and find out what obscure B.S.
they want?
On 2/7/2022 12:26 AM, Peter Peltonen wrote:
When trying to deliver email to a domain that is using spam
protection
from antispameurope.com I get the following error:
deferral:
TLS_connect_failed:_error:1421C105:SSL_routines:set_client_ciphersuite:wrong_cipher_returnedZConnected_to_83.246.65.85_but_connection_died._(#4.4.2)/
So am I missing something here:
[root@mail ~]# cat /var/qmail/control/tlsclientciphers