Re: ECDSA ciphers & MTA's

Mon, 15 Sep 2014 04:07:53 -0700 


Dennis L wrote:
>> if i have an EC mail server cert and if an MTA setup to send/receive?
>> gives the following:
> 
>> $ openssl s_client -cipher ECDH -starttls smtp -connect
>> medusa.blackops.org:25
>> CONNECTED(00000003)
>> 139821090178704:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
>> alert handshake failure:s23_clnt.c:762:
> 
>> does that mean it cannot connect *to* me because it doesn't have any EC
>> ciphers (openssl from 0.9.8 to 1.0.0 i believe?) which are required
>> because of an EC ssl cert ?
> 
>> why doesn't mail then get delivered in the clear ?
> 
>> i can receive mail for example from gmail which connects to me with an
>> ECDSA cipher suite
> 
>> i posted postconf -n in previous question
> 
>> example
> 
>> postfix/smtpd[7060]: initializing the server-side TLS engine
>> postfix/smtpd[7060]: connect from medusa.blackops.org[208.69.40.157]
>> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: can't read
>> SMFIC_OPTNEG reply packet header: Connection timed out
>> postfix/smtpd[7060]: warning: milter inet:127.0.0.1:10023: read error in
>> initial handshake
>> postfix/smtpd[7060]: setting up TLS connection from
>> medusa.blackops.org[208.69.40.157]
>> postfix/smtpd[7060]: medusa.blackops.org[208.69.40.157]: TLS cipher list
>> "!ANULL:!EXPORT:!MD5:!DES:!LOW:ALL:@STRENGTH"
>> postfix/smtpd[7060]: SSL_accept:before/accept initialization
>> postfix/smtpd[7060]: SSL3 alert write:fatal:handshake failure
>> postfix/smtpd[7060]: SSL_accept:error in SSLv3 read client hello C
>> postfix/smtpd[7060]: SSL_accept:error in SSLv3 read client hello C
>> postfix/smtpd[7060]: SSL_accept error from
>> medusa.blackops.org[208.69.40.157]: -1
>> postfix/smtpd[7060]: warning: TLS library problem: error:1408A0C1:SSL
>> routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1358:
>> postfix/smtpd[7060]: lost connection after STARTTLS from
>> medusa.blackops.org[208.69.40.157]
>> postfix/smtpd[7060]: disconnect from medusa.blackops.org[208.69.40.157]
> do you have this in your main.cf? I think it may fix your issue.
> smtpd_tls_ciphers = export
> 

it was set to medium

but the postfix default is

tls_medium_cipherlist (default: ALL:!EXPORT:!LOW:+RC4:@STRENGTH)

and it excludes export

Reply via email to