> Have you tries connecting to this server with:
>
> $ openssl s_client -connect <hostname>:25 \
> -starttls smtp -tls1_2 -cipher 'HIGH+AES+kRSA+CBC:@STRENGTH'
>
> Seems like determining whether the ciphers could interoperate is the
> first step.
On Mon, Nov 25, 2024 at 03:29:54PM +0100, Matus UHLAR - fantomas via
Postfix-users wrote:
works with tls1.3, doesn't work otherwise:
On 26.11.24 02:24, Viktor Dukhovni via Postfix-users wrote:
Of course, because TLS 1.3 ignores "-ciphers", it does algorithm
negotiation very differently.
Aha, that explains it, thanks.
00A77BF7:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
failure:../ssl/record/rec_layer_s3.c:1605:SSL alert number 40
Ah, so the server refuses these, sending an alert. Now you need to
determine why the server is unwilling.
> > Alert Message
> > Level: Fatal (2)
> > Description: Handshake Failure (40)
>
> That's not useful, without known which party sent the alert.
sorry, forgot to say it was server reply to TLS helo.
As confirmed by the s_client test. It sure looks like RSA key exchange
is disabled in your OpenSSL (unless you've not Postfix settings you have
that disable 'kRSA' or CBC ciphers). In which case you'd need to figure
out how to reënable it, or build your own OpenSSL to link Postfix with,
that is not crippled. To avoid problems with shared library conflicts,
you'd need a "shlib_variant". In my builds I add file to the
"Configurations" directory of the source tree:
I believe I found the problem and it was caused by dehydrated, script to
generate Let's Encrypt certificates.
- after upgrade to 0.7.0, dehydrated started requesting secp384r1
algorithms, which apparently disabled rsa negotiation
after requesting RSA certificate, the client's device succeeded connecting
with TLS1.2. It even works with:
smtpd_tls_mandatory_ciphers=high
and I haven't changed any _cipherlist variiable.
Thanks Viktor for assistance
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
