On Tue, Jan 21, 2025 at 05:16:29PM -0500, Wietse Venema via Postfix-users wrote:
> > [root@host /]# postconf -n | grep tls
> > milter_rcpt_macros = i {rcpt_addr} {rcpt_host} {rcpt_mailer}
> > {tls_version}
> > smtp_tls_CAfile = /etc/pki/tls/certs/ca-bundle.crt
> > smtp_tls_CApath = /etc/pki/tls/certs
> > smtp_tls_security_level = may
> > smtpd_tls_cert_file = /etc/letsencrypt/live/example.com/fullchain.pem
> > smtpd_tls_key_file = /etc/letsencrypt/live/example.com/privkey.pem
> > smtpd_tls_security_level = may
Nothing in the Postfix config, but do note that on RedHat / Fedora
systems there's also "crypto policy" that cranks up security to 11 to
protect users against fairly exotic threats, so you end up with
cleartext instead of reasonably, but not maximally secure TLS.
>
> I just wanted to make sure that you weren't cranking up security to 11.
>
> Assuming that your certificate and key are good, I speculate that
> the client wants to use a different type of certificate. There are
> howtos to configure the Postfix SMTP server with both RSA and ECDSA
> certs from letsencrypt.
The message was "no shared cipher", so perhaps the client supported only
SHA1-based TLS 1.0 ciphers, but the server had SHA1 turned off by crypto
policy, or the client wanted RC4, ...
This is of course assuming a legitimate client and not a Shodan survey
probe testing the TLS stack for stuff that should be turned off.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
