Dennis L wrote: >> if i have an EC mail server cert and if an MTA setup to send/receive? >> gives the following: > >> $ openssl s_client -cipher ECDH -starttls smtp -connect >> medusa.blackops.org:25 >> CONNECTED(00000003) >> 139821090178704:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 >> alert handshake failure:s23_clnt.c:762: > >> does that mean it cannot connect *to* me because it doesn't have any EC >> ciphers (openssl from 0.9.8 to 1.0.0 i believe?) which are required >> because of an EC ssl cert ? > >> why doesn't mail then get delivered in the clear ? > >> i can receive mail for example from gmail which connects to me with an >> ECDSA cipher suite > >> i posted postconf -n in previous question > >> example > >> postfix/smtpd[7060]: initializing the server-side TLS engine >> postfix/smtpd[7060]: connect from medusa.blackops.org[208.69.40.157] >> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: can't read >> SMFIC_OPTNEG reply packet header: Connection timed out >> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: read error in >> initial handshake >> postfix/smtpd[7060]: setting up TLS connection from >> medusa.blackops.org[208.69.40.157] >> postfix/smtpd[7060]: medusa.blackops.org[208.69.40.157]: TLS cipher list >> "!ANULL:!EXPORT:!MD5:!DES:!LOW:ALL:@STRENGTH" >> postfix/smtpd[7060]: SSL_accept:before/accept initialization >> postfix/smtpd[7060]: SSL3 alert write:fatal:handshake failure >> postfix/smtpd[7060]: SSL_accept:error in SSLv3 read client hello C >> postfix/smtpd[7060]: SSL_accept:error in SSLv3 read client hello C >> postfix/smtpd[7060]: SSL_accept error from >> medusa.blackops.org[208.69.40.157]: -1 >> postfix/smtpd[7060]: warning: TLS library problem: error:1408A0C1:SSL >> routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1358: >> postfix/smtpd[7060]: lost connection after STARTTLS from >> medusa.blackops.org[208.69.40.157] >> postfix/smtpd[7060]: disconnect from medusa.blackops.org[208.69.40.157] > do you have this in your main.cf? I think it may fix your issue. > smtpd_tls_ciphers = export >
it was set to medium but the postfix default is tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH) and it excludes export