> On 07/09/2023 03:49 EEST Ralph Seichter via dovecot <dovecot@dovecot.org> > wrote: > > > * Marc Schiffbauer via dovecot: > > > Wild guess: you need to explicitely allow for example DEFAULT@SECLEVEL=0 > > ciphersuite in postfix to make *your* openssl accept this remote sslv3 > > connection > > Thanks, Marc. I had thought about this, and have tried various Postfix > parameters related to TLS ciphers and protocols. So far, no dice. In the > meantime, I also ran tests using Swaks, and this resulted in a possible > different route of investigation: Postfix uses a certificate issued by > Let's Encrypt (secp384r1) for both in- and outbound connections with > STARTTLS. If I use the same certificate with Swaks, I see the same error > as I do with Postfix. If I use Swaks *without* specifying a local TLS > certificate, the STARTTLS handshake works: > > === Trying talvi.dovecot.org:25... > === Connected to talvi.dovecot.org. > <- 220 talvi.dovecot.org ESMTP Postfix (Debian/GNU) > -> EHLO ra.horus-it.com > <- 250-talvi.dovecot.org > <- 250-PIPELINING > <- 250-SIZE 104857600 > <- 250-ETRN > <- 250-STARTTLS > <- 250-ENHANCEDSTATUSCODES > <- 250-8BITMIME > <- 250-DSN > <- 250 CHUNKING > -> STARTTLS > <- 220 2.0.0 Ready to start TLS > === TLS started with cipher TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 > === TLS no local certificate set > === TLS peer DN="/CN=talvi.dovecot.org" > > Looks the combination of certificate ciphers and OpenSSL library > versions on my end and on the talvi.dovecot.org end is causing some > bother. The original error message points to a protocol issue, not a > cipher problem, and how SSLv3 gets into the mix is anybody's guess. > Perhaps I'll see clearer after some much needed sleep. > > -Ralph
I updated the settings a bit on the server as well. Maybe it works better now? Aki _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
