I work with postconf mail_version mail_version = 2.11.3
making a Postfix gateway to recieve and relay for my client his domain. Say his mail domain is "http://clientdomain.com"; and his mail server is "http://client1.clientdomain.com";. I am working on TLS security of mail from my server to his server. I am having handshake problems on the relay, the error is "Cannot start TLS: handshake failure". Of course if I see logs in great detail for my servers and his domain then I can do the troubleshooting. But I only control for my server. For my logs I see this tail mail.log | grep -i tls Jan 25 04:27:24 srchmx postfix/smtp[17317]: initializing the client-side TLS engine Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: name_mask: ipv4 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: inet_addr_local: configured 10 IPv4 addresses Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: process generation: 10 (10) Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tls_prng_dev_open: opened entropy device /dev/urandom Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: set_eugid: euid 5001 egid 5001 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tls_prng_exch_open: opened PRNG exchange file /var/lib/postfix/prng_exch Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: name_mask: 3 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: open smtp TLS cache lmdb:/var/lib/postfix/smtp_cache Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: database lmdb:/var/lib/postfix/smtp_cache: using size limit 16777216 during open Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: dict_open: lmdb:/var/lib/postfix/smtp_cache Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: set_eugid: euid 0 egid 0 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tls_prng_dev_read: read 32 bytes from entropy device /dev/urandom Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tlsmgr_prng_exch_event: update PRNG exchange file Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tlsmgr_cache_run_event: start TLS smtp session cache cleanup Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: connection established fd 128 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: connection established fd 129 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: master_notify: status 0 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tlsmgr socket: wanted attribute: request Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute name: request Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute value: seed Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tlsmgr socket: wanted attribute: size Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute name: size Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute value: 32 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tlsmgr socket: wanted attribute: (list terminator) Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute name: (end) Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: send attr status = 0 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: send attr seed = [data 32 bytes] Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: master_notify: status 1 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: master_notify: status 0 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tlsmgr socket: wanted attribute: request Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute name: request Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute value: policy Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tlsmgr socket: wanted attribute: cache_type Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute name: cache_type Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute value: smtp Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: tlsmgr socket: wanted attribute: (list terminator) Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: input attribute name: (end) Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: send attr status = 0 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: send attr cachable = 1 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: send attr timeout = 3600 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: master_notify: status 1 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: master_notify: status 0 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: received master trigger Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: connection closed fd 129 Jan 25 04:27:24 srchmx postfix/tlsmgr[17318]: master_notify: status 1 Jan 25 04:27:25 srchmx postfix/smtp[17317]: setting up TLS connection to http://client1.clientdomain.com[45.3x.xxx.xxx]:25 Jan 25 04:27:25 srchmx postfix/smtp[17317]: D04EE9086B: Cannot start TLS: handshake failure Jan 25 04:27:29 srchmx postfix/tlsmgr[17318]: connection closed fd 128 You see the "handshake failure"? On the reciever end, that of my client that I do not control server the only log sent to me only says Jan 25 04:27:46 client1 postfix/smtpd[20478]: connect from http://srchmx.myserver.com[171.2xx.xxx.xxx] Jan 25 04:27:46 client1 postfix/smtpd[20478]: SSL_accept error from http://srchmx.myserver.com[171.2xx.xxx.xxx]: lost connection Jan 25 04:27:46 client1 postfix/smtpd[20478]: lost connection after STARTTLS from http://srchmx.myserver.com[171.2xx.xxx.xxx] Jan 25 04:27:46 client1 postfix/smtpd[20478]: disconnect from http://srchmx.myserver.com[171.2xx.xxx.xxx] There is the "SSL_accept error". I can not so easily get more logs from the client side. From my end I have from the configs http://master.cf relay unix - - n - - smtp -o smtp_bind_address=http://171.2xx.xxx.xxx http://main.cf smtp_tls_loglevel = 3 smtp_use_tls = yes smtp_tls_CApath = /etc/ssl/certs/ smtp_tls_session_cache_database = lmdb:/var/lib/postfix/smtp_cache smtp_tls_policy_maps = lmdb:/etc/postfix/tls_policy smtpd_tls_security_level = may smtpd_tls_auth_only = yes smtp_tls_ciphers = TLS_ECDHE_RSA_WITH_RSA_AES256_GCM_SHA384, high, medium smtp_tls_exclude_ciphers = aNULL, RC4 smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv3, !SSLv2 smtp_tls_mandatory_ciphers = TLS_ECDHE_RSA_WITH_RSA_AES256_GCM_SHA384, high smtp_tls_mandatory_exclude_ciphers = tls_preempt_cipherlist = yes tls_policy http://clientdomain.com encrypt I ask for help to learn how to troubleshoot this better. Not to have it fixed for me. How to look for the right more details only on my logs end to know what to fix? *S*
