Hi people, I'm running postfix 2.9.6 and openssl 1.0.1 stock from Ubuntu 12.04 LTS.
postfix is generally working fine as a relay to several SMTP servers (using a relayhost_map). However, there is one server that is causing trouble so that I cannot use it with postfix (while directly addressing it with e.g. kmail works). That server is run by a large organization, so I can't change its configuration. The errors I see are these: > […] postfix/smtp[9689]: warning: TLS library problem: 9689:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > […] postfix/smtp[9689]: 033661A108A: to=<f...@bar.com>, relay=server[X.X.X.X]:587, delay=0.51, delays=0.09/0.03/0.39/0, dsn=4.4.2, status=deferred (lost connection with server[X.X.X.X] while performing the EHLO handshake) In diagnosing the problem, I found that I can connect correctly to the server on the command line by issuing: $ openssl s_client -connect server:587 -starttls smtp -tls1 which gives (among many other things): > Secure Renegotiation IS supported > […] > Protocol : TLSv1 but NOT if I say: $ openssl s_client -connect server:587 -starttls smtp -tls1_1 which gives these errors: > 3078101192:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337: > […] > Secure Renegotiation IS NOT supported > […] > Protocol : TLSv1.1 (This error was the same with a self-compiled version of the latest openssl 1.0.1e.) So, I thought I should try to force postfix to use tls1 instead of tls1_1 or 1_2. I set up a tls_policy map that I know is working (because it complains on typos or if I forbid all the protocols): [server]:587 encrypt protocols=!SSLv2:!TLSv1.1:!TLSv1.2 However, this does not help, and I still get the same error. Giving "protocols=TLSv1" fails just the same. What can I do? Thanks in advance! Michael
