On Aug 20, 2013, at 11:48, Sebastian Wiesinger <postfix-us...@ml.karotte.org> wrote:
> GMX and web.de started an initiative for secure E-Mail made in > Germany... they turned TLS on. > > But in addition to that bold move the did something else that causes > the following errors when they try to send mail to my postfix: > > postfix/smtpd[28706]: connect from mout.web.de[212.227.15.14] > postfix/smtpd[28706]: SSL_accept error from mout.web.de[212.227.15.14]: 0 > postfix/smtpd[28706]: warning: TLS library problem: 28706:error:14094438:SSL > routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1256:SSL alert > number 80: > postfix/smtpd[28706]: lost connection after STARTTLS from > mout.web.de[212.227.15.14] > postfix/smtpd[28706]: disconnect from mout.web.de[212.227.15.14] > > Postfix 2.9.6 running on Debian 7.1. > > This error ONLY occurs with their servers. My question is if anyone > has an idea what could cause this error. My first guess is that they > check certificates for validity and I only have an CACert certificate. > Also I would like to know if anyone else sees this on their postfix? > > Currently I've disabled STARTTLS for their mailservers but of course I > would like to use TLS if possible. Would increasing the tls log level > reveal additional helpful information? Same Postfix, same Debian, from yesterday afternoon; == postfix/smtpd[25199]: connect from mout.web.de[212.227.15.14] postfix/smtpd[25199]: Anonymous TLS connection established from mout.web.de[212.227.15.14]: TLSv1.2 with cipher ECDHE-RSA-AES128-SHA (128/128 bits) postfix/smtpd[25199]: 3cJRKD6cRCz5G: client=mout.web.de[212.227.15.14] postfix/smtpd[25199]: disconnect from mout.web.de[212.227.15.14] == Self-signed, 2048 bits certificate from our own root. Picks the same cipher and TLS version as in Heiko's example, it seems. Perhaps it's your certificate, perhaps your Postfix settings? No odd overrides for the defaults anywhere, forced cipher suites or anything? Aside from the certificate and key, these are our only non-default settings; smtpd_tls_loglevel = 1 smtpd_tls_security_level = may HTH, Joni
