hi
postfix 2.11.1-1 from debian jessie amd64
this server is using an EC cert not RSA
eventually, the email gets sent in the clear
any help appreciated
openssl on the server reports ok:
OpenSSL 1.0.1i 6 Aug 2014
$ openssl s_client -cipher SSLv3 -starttls smtp -connect
igwx10.cba.com.au:25
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
why does it connect with TLS or is this because specifying SSLv3 allows
anything above SSLv3 ?
but openssl gives same result on a different computer
OpenSSL 1.0.1g 7 Apr 2014
$ openssl s_client -cipher SSLv3 -starttls smtp -connect
igwx10.cba.com.au:25
CONNECTED(00000003)
140155330672272:error:1407741A:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1
alert decode error:s23_clnt.c:762:
postfix/smtp[11167]: initializing the client-side TLS engine
postfix/smtp[11167]: setting up TLS connection to
igwx10.cba.com.au[140.168.71.11]:25
ostfix/smtp[11167]: igwx10.cba.com.au[140.168.71.11]:25: TLS cipher list
"!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!PSK:!LOW:ALL:@STRENGTH"
postfix/smtp[11167]: looking for session
smtp&cba.com.au&igwx10.cba.com.au&140.168.71.11&&ED55784BD6F27A52D8222B141F9544CCE902CED3AF1D6BB6457521FB710AF0FB
in smtp cache
postfix/smtp[11167]: SSL_connect:before/connect initialization
postfix/smtp[11167]: SSL_connect:SSLv2/v3 write client hello A
postfix/smtp[11167]: SSL3 alert read:fatal:decode error
postfix/smtp[11167]: SSL_connect:error in SSLv2/v3 read server hello A
postfix/smtp[11167]: SSL_connect error to
igwx10.cba.com.au[140.168.71.11]:25: -1
postfix/smtp[11167]: warning: TLS library problem: error:1407741A:SSL
routines:SSL23_GET_SERVER_HELLO:tlsv1 alert decode error:s23_clnt.c:762:
postfix/smtp[11167]: remove session
smtp&cba.com.au&igwx10.cba.com.au&140.168.71.11&&ED55784BD6F27A52D8222B141F9544CCE902CED3AF1D6BB6457521FB710AF0FB
from client cache
postfix/smtp[11167]: 25BGD52K157: Cannot start TLS: handshake failure
postfix/smtp[11167]: Host offered STARTTLS: [igwx10.cba.com.au]
postfix/smtp[11167]: 25BB3800157: to=<localbusinessbank...@cba.com.au>,
relay=igwx10.cba.com.au[140.168.71.11]:25, delay=7.4,
delays=3.6/0.02/3.6/0.15, dsn=2.0.0, status=sent (250 ok: Message
127882284 accepted)
postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
allow_percent_hack = no
append_dot_mydomain = no
best_mx_transport = local
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
disable_vrfy_command = yes
header_checks = pcre:/etc/postfix/header_checks.pcre
home_mailbox = mail/
inet_interfaces = all
inet_protocols = ipv4
mail_name = Mail
mail_version = 23
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
mydomain = example.com
myhostname = ns1.example.com
non_smtpd_milters = inet:127.0.0.1:10023, inet:127.0.0.1:12301,
inet:127.0.0.1:10002, inet:127.0.0.1:8893
policy-spf_time_limit = 3600s
queue_directory = /var/spool/postfix
readme_directory = no
recipient_delimiter = +
show_user_unknown_table_name = no
smtp_dns_support_level = dnssec
smtp_header_checks = pcre:/etc/postfix/header_checks.pcre
smtp_sender_dependent_authentication = yes
smtp_starttls_timeout = 30s
smtp_tls_block_early_mail_reply = yes
smtp_tls_ciphers = medium
smtp_tls_eccert_file = /etc/postfix/example.com-ssl.pem
smtp_tls_eckey_file = /etc/postfix/example.com-ssl.key
smtp_tls_loglevel = 2
smtp_tls_mandatory_ciphers = medium
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_use_tls = yes
smtpd_client_restrictions = permit_mynetworks,
permit_sasl_authenticated, check_client_access
hash:/etc/postfix/client_checks, reject_unknown_client_hostname,
reject_unauth_pipelining, reject_rbl_client zen.spamhaus.org,
reject_rbl_client dnsbl.sorbs.net, permit
smtpd_data_restrictions = reject_unauth_pipelining,
reject_multi_recipient_bounce, permit
smtpd_delay_reject = yes
smtpd_error_sleep_time = 20
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_hard_error_limit = 3
smtpd_helo_required = yes
smtpd_junk_command_limit = 2
smtpd_milters = inet:127.0.0.1:10023, inet:127.0.0.1:12301,
inet:127.0.0.1:10002, inet:127.0.0.1:8893
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated, reject_non_fqdn_sender,
reject_non_fqdn_recipient, reject_non_fqdn_hostname,
reject_invalid_hostname, reject_unknown_sender_domain,
reject_unknown_recipient_domain, reject_unauth_destination,
reject_unlisted_recipient, reject_unverified_recipient,
reject_unauth_pipelining, check_policy_service unix:private/policy-spf,
check_policy_service inet:127.0.0.1:10023, reject_rhsbl_reverse_client
dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org,
reject_rhsbl_client dbl.spamhaus.org, permit
smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated,
defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks, check_sender_access
hash:/etc/postfix/sender_checks, reject_non_fqdn_sender,
reject_unknown_sender_domain, reject_unknown_address,
reject_rhsbl_reverse_client dbl.spamhaus.org, permit
smtpd_soft_error_limit = 1
smtpd_starttls_timeout = 30s
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_auth_only = yes
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem
smtpd_tls_eccert_file = /etc/postfix/example.com-ssl.pem
smtpd_tls_eckey_file = /etc/postfix/example.com-ssl.key
smtpd_tls_eecdh_grade = ultra
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_protocols = !SSLv2
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
swap_bangpath = no
tls_daemon_random_bytes = 32
tls_dane_digest_agility = on
tls_dane_digests = sha512 sha256
tls_high_cipherlist =
!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!PSK:!LOW:ALL:@STRENGTH
tls_low_cipherlist =
!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!PSK:!LOW:ALL:@STRENGTH
tls_medium_cipherlist =
!aNULL:!eNULL:!EXPORT:!MD5:!DES:!SRP:!DSS:!SEED:!ADH:!AECDH:!PSK:!LOW:ALL:@STRENGTH
tls_preempt_cipherlist = yes
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
tls_ssl_options = NO_COMPRESSION
