> 2024-11-08T16:14:09.034570+01:00 mail postfix/submissions/smtpd[107564]: > connect from unknown[192.168.1.1] > 2024-11-08T16:14:09.040936+01:00 mail postfix/submissions/smtpd[107564]: > SSL_accept error from unknown[192.168.1.1]: -1 > 2024-11-08T16:14:09.042051+01:00 mail postfix/submissions/smtpd[107564]: > warning: TLS library problem: error:0A0000C1:SSL routines::no shared > cipher:../ssl/statem/statem_srvr.c:2220: > 2024-11-08T16:14:09.043133+01:00 mail postfix/submissions/smtpd[107564]: lost > connection after CONNECT from unknown[192.168.1.1] > 2024-11-08T16:14:09.043723+01:00 mail postfix/submissions/smtpd[107564]: > disconnect from unknown[192.168.1.1] commands=0/0 > > Can anyone tell me what this means? >
You were talking about a scanner in your original mail. It's possible that its firmware (ssl library) is too old to know about modern ciphers and it might take some effort to get postfix to accept those. RedHat has already disabled SHA1 for example (you would need to enable a legacy policy for that) and other distributions might have made compile time changes. In case your scanner is local to your postfix network, enryption might not be mandatory. You could add another submission service to master.cf and bind it to a separate local ip where you don't enforce tls for submission with sasl. Another option is to redesign a part of your network and connect scanner and postfix via routable ips (no NAT). That way you don't need sasl and can accept the scanner's ip for relay. This approach requires an additional firewall though in order to replace the basic protection that NAT provides. Moreover those devices can be security risks due to lacking software updates. It is a good idea to limit the amount of mails they can send and monitor the log for anomalies. Best regards, Gerald
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
