On Tue, Oct 15, 2013 at 03:20:13AM +0200, Michael B?ker wrote:
> > postfix/smtp[9689]: warning: TLS library problem: 9689:error:1408F10B:SSL
> > routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:337:
> > postfix/smtp[9689]: 033661A108A: to=<f...@bar.com>,
> > relay=server[X.X.X.X]:587, delay=0.51, delays=0.09/0.03/0.39/0, dsn=4.4.2,
> > status=deferred (lost connection with server[X.X.X.X] while performing the
> > EHLO handshake)
Obfuscating the target domain and IP address makes it much harder
to help you. At the very least you MUST obfuscate using a 1-to-1
function, so that each distinct domain or IP address is mapped to
a distinct obfuscated value.
You must post the relevant entries (unmangled except for any 1-to-1
mapping) from your transport table that direct mail for the recipients
in question via the problem relay.
> $ openssl s_client -connect server:587 -starttls smtp -tls1
>
> but NOT if I say:
>
> $ openssl s_client -connect server:587 -starttls smtp -tls1_1
>
> which gives these errors:
>
> [server]:587 encrypt protocols=!SSLv2:!TLSv1.1:!TLSv1.2
The obfuscation is again most unfortunate. Most likely said
"[server]:587" lookup key in not fact the literal nexthop from
the transport table.
> However, this does not help, and I still get the same error. Giving
> "protocols=TLSv1" fails just the same.
Support for disabling TLSv1.1 and TLSv1.2 was added with Postfix
2.7.9, 2.8.10, 2.9.2 and 2.10. If you're using 2.9.6 you should
be covered if you correctly specify the policy table lookup key
and enable SMTP tls policy lookups.
Showing "postconf -n" output would also be helpful.
--
Viktor.
