Re: TLS Issue

Sun, 07 Dec 2014 21:57:18 -0800 

Looking earlier on the thread, Jan suggested that it was dovecot that had
the issue and may be related.

My issue seems to be a connection issue postfix and my webapp. Viktor
suggested it could be an issue with my OpenSSL implementation. The dev
webapp is running on MacOS X 10.10 which should have a very recent
version. OpenSSL 0.9.8za 5 Jun 2014. The server hosting postfix is on
CentOS 6 using OpenSSL 1.0.1e-fips 11 Feb 2013

Dec  7 22:07:25 hosting1 postfix/smtpd[4350]: connect from
x-x-x-x.phnx.qwest.net[x.x.x.x]
Dec  7 22:07:25 hosting1 postfix/smtpd[4350]: warning: TLS library
problem: 4350:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
number:s3_pkt.c:337:
Dec  7 22:07:25 hosting1 postfix/smtpd[4350]: lost connection after
STARTTLS from x.x.x.x.phnx.qwest.net[x.x.x.x]
Dec  7 22:07:25 hosting1 postfix/smtpd[4350]: disconnect from
x-x-x-x.phnx.qwest.net[x.x.x.x]

Not sure where those configs from dovecot comes into play when it's
postfix showing the error.


Do Viktor's suggested dovecot configs also pertain to postfix?

I'm still checking on the TLS implementation of the middleware for my
webapp that sends the email.


Thanks,
Steffan

---------------------------------------------------------------
T E L  6 0 2 . 7 9 3 . 0 0 1 4 | F A X  6 0 2 . 9 7 1 . 1 6 9 4
Steffan A. Cline                        stef...@execuchoice.net
http://www.ExecuChoice.net                 Phoenix, Arizona USA
                  
---------------------------------------------------------------






On 12/7/14, 11:36 AM, "Viktor Dukhovni" <postfix-us...@dukhovni.org> wrote:

>On Sun, Dec 07, 2014 at 06:02:23PM +0100, Jan Kowalski wrote:
>
>> In my case it is caused by my dovecot configuration, namely:
>> 
>> ssl_protocols = !SSLv2 !SSLv3
>> ssl_cipher_list = HIGH:!LOW:!SSLv2:!SSLv3:!EXP:!aNULL
>
>This configuration is incorrect.  The majority of TLSv1.2 cipher
>suites were defined as part of "SSLv3".  In the cipherlist, the
>protocol number is the *lowest* protocol that supports the cipher
>suite, but removing all SSLv3 ciphers from TLS leaves only bleeding
>edge AEAD and SHA-2 ciphers that many clients don't support.
>
>A better cipherlist for *dovecot* would be:
>
>    DEFAULT:!EXPORT:!LOW:!MEDIUM:!MD5
>
>The "MD5" ciphers suites are a superset of the SSLv2 cipher suites.
>The "DEFAULT" list is generally a good starting point for non-experts,
>to which you apply sensible exclusions.
>
>-- 
>       Viktor.
>

Reply via email to