On 03/04/2024 01:08, Viktor Dukhovni via Postfix-users wrote:
On Thu, Mar 28, 2024 at 09:58:13AM +0200, Levente Birta via Postfix-users wrote:
That's worth a try:
588 inet ... smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_tls_mandatory_protocols=TLSv1.2
...
Limiting to only TLSv1.2 did the job.
It sure looks like something was causing the client's initial attempt
with TLS 1.3 to not work, and when the client retried with TLS 1.2, the
server objected, since it supported TLS 1.3. Now that the server
supports TLS 1.2 only, it did not mind the fallback signal,
The other possibility, is that the client never tried TLS 1.3, and was
implemented by a clueless keyboard-monkey, who decided to always send
the fallback SCSV even though there was no fallback. That's sad, if
true.
As I said, this is an old (2019/2020) Dahua DVR ... I have doubts that
this DVR supports TLSv1.3, although I don't remember when TLSv1.3 became
largely used.
From my experience, these devices are always few years behind the
current accepted standard. ( like ActiveX vs HTML5 )
I saw NVR (2023 model) which still send email with TLSv1.2, but, at
least, they negotiate correctly with the TLSv1.3 enabled smtpd server.
Levi
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
