Thanks Matthias, great point. I was sure that should've fixed the problem
as it should indeed be SHA256. For some weird reason I still can't connect
with TLS1.3 though. Some additional information while trying to connect
from localhost with smtpd_log_level=2:
# cat /var/log/maillog
Jan 22 16:13:11 ares postfix/smtpd[24282]: initializing the server-side TLS
engine
Jan 22 16:13:11 ares postfix/smtpd[24282]: connect from localhost[::1]
Jan 22 16:13:11 ares postfix/smtpd[24282]: setting up TLS connection from
localhost[::1]
Jan 22 16:13:11 ares postfix/smtpd[24282]: localhost[::1]: TLS cipher list
"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305"
Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL_accept:before SSL
initialization
Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL_accept:before SSL
initialization
Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL3 alert write:fatal:protocol
version
Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL_accept:error in error
Jan 22 16:13:11 ares postfix/smtpd[24282]: SSL_accept error from
localhost[::1]: -1
Jan 22 16:13:11 ares postfix/smtpd[24282]: warning: TLS library problem:
error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported
protocol:ssl/statem/statem_srvr.c:1686:
Jan 22 16:13:11 ares postfix/smtpd[24282]: lost connection after STARTTLS
from localhost[::1]
Jan 22 16:13:11 ares postfix/smtpd[24282]: disconnect from localhost[::1]
ehlo=1 starttls=0/1 commands=1/2
Same happens for STARTTLS over port 587:
# openssl s_client -starttls smtp -crlf -tls1_3 -connect localhost:587
CONNECTED(00000003)
139770914207552:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert
protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
Kind regards,
Taco de Wolff
On Mon, Jan 22, 2024 at 11:54 AM Matthias Schneider <
matthias.schnei...@rmail.de> wrote:
> Hi,
>
> i think this has something todo with smtpd_tls_fingerprint_digest:
>
> smtpd_tls_fingerprint_digest = ${{$compatibility_level} <level {3.6} ?
> {md5} : {sha256}}
>
> since you have 3.5 its using md5, try to set this value to sha256
>
> best regards
> Matthias
>
> ------------------------------
> *Von: *"Taco de Wolff via Postfix-users" <postfix-users@postfix.org>
> *An: *"postfix-users" <postfix-users@postfix.org>
> *Gesendet: *Montag, 22. Januar 2024 15:44:40
> *Betreff: *[pfx] Enabling TLS1.3 and allow sending over SMTPS/465
>
> Hi,
>
> Two questions really, one is that I can't enable TLS1.3 whatever I try.
> Running CentOS8 with OpenSSL v1.1.1k-FIPS and Postfix v3.5.8, I confirm
> that TLS1.3 ciphers are available:
>
> # openssl version
> OpenSSL 1.1.1k FIPS 25 Mar 2021
>
> # postconf -T compile-version
> OpenSSL 1.1.1k FIPS 25 Mar 2021
>
> # postconf -T run-version
> OpenSSL 1.1.1k FIPS 25 Mar 2021
>
> # openssl ciphers -v
> TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256)
> Mac=AEAD
> TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128)
> Mac=AEAD
> etc.
>
> Relevant configuration for port 465 (implicit TLS):
> # postconf
> smtpd_tls_cert_file = /path/to/crt
> smtpd_tls_ciphers = medium
> smtpd_tls_exclude_ciphers =
> smtpd_tls_key_file = /path/to/key
> smtpd_tls_mandatory_ciphers = medium
> smtpd_tls_mandatory_exclude_ciphers =
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> tls_medium_cipherlist =
> TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
> smtpd_tls_security_level = encrypt
> smtpd_tls_wrappermode = yes
>
> Trying to connect using TLS1.3 on a client that supports both TLS1.3
> ciphersuites, I get:
> $ openssl s_client -connect server.hostname:465 -tls1_3
> Connecting to [IPADDRESS]
> CONNECTED(00000003)
> 40879BE5F97F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert
> protocol version:ssl/record/rec_layer_s3.c:861:SSL alert number 70
>
> Has this something to do with FIPS mode? I don't think so because the
> ciphers show up in OpenSSL. Why is TLS1.3 not getting enabled?
>
>
> Second question came up while fixing a blocked outbound port 25 with my
> ISP. I've noticed that mail gets sent to DANE enabled servers, I suppose
> because it uses port 587 using STARTTLS. I wonder if postfix allows sending
> mail over the recommended implicit TLS port 465 between mail servers? The
> documentation isn't very clear on the distinction between (implicit) TLS
> and STARTTLS, but setting smtp_tls_wrappermode=yes would force using
> implicit TLS (right?), while I want to use opportunistic implicit TLS (with
> fallback to STARTTLS, it's better than nothing) which can be enforced by
> DANE enabled servers.
>
> Kind regards,
> Taco de Wolff
>
> _______________________________________________
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
