On 2022-04-09, Stephan Mending <l...@md5collisions.eu> wrote: > Hi Tom, > > Hm.. I am on the receiving end of this TLS Handshake. > I am running -release on one and -current on another. Problem and error > messages are the same. > > Excerpt of the running postfix main.cf: > > smtpd_tls_mandatory_ciphers = high > smtpd_tls_ciphers = high > smtp_tls_mandatory_ciphers = high > smtp_tls_ciphers = high > > tls_ssl_options = NO_COMPRESSION, NO_RENEGOTIATION, PRIORITIZE_CHACHA > > tls_high_cipherlist = > HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS:!ARIA > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtpd_tls_protocols = !SSLv2, !SSLv3 > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtp_tls_protocols = !SSLv2, !SSLv3 > > smtpd_tls_security_level = maytfix/smtpd[97536]: > mout.web.de[212.227.17.12]:52515: TLS cipher list > "HIGH:+aRSA:+SHA384:+SHA256:+DH:+SHA:+kRSA:!eNULL:!aNULL:!PSK:!SRP:!AESCCM:!DSS:!ARIA:!aNULL"
I suggest starting by commenting-out all of the above lines in favour of the defaults, which are sane, and take things from there. If you can get *some* connection then you'll have a better idea of what the other side is trying to use and how it matches/doesn't match with your settings. IMHO unless you're disabling plaintext SMTP completely (in which case you can't expect to receive email from the whole internet anyway), for incoming delivery from other MXs it's usually better to have some encryption rather than none. Some of the settings you have used e.g. those in tls_ssl_options are not supported at all by libressl anyway. I don't know what will happen if you set them. If you want higher requirements for your own users with authenticated SMTP, just put those settings on the listeners for that i.e. on the submission/smtps ports in master.cf submission inet n - y - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_tls_mandatory_ciphers=high -o smtpd_tls_mandatory_protocols=!TLSv1,!TLSv1.1 -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o milter_macro_daemon_name=ORIGINATING -- Please keep replies on the mailing list.
