On Mon, Jan 26, 2015 at 02:05:41AM +0000, srach wrote: > mail_version = 2.11.3 > > Say his mail domain is "clientdomain.com" and his mail server is > "client1.clientdomain.com". > > I am working on TLS security of mail from my server to his server. > > I am having handshake problems on the relay, the error is "Cannot start TLS: > handshake failure". Of course if I see logs in great detail for my servers > and his domain then I can do the troubleshooting.
Your logs are too verbose. This just hides the real problem in a torrent of noise. > Jan 25 04:27:25 srchmx postfix/smtp[17317]: setting up TLS connection to > client1.clientdomain.com[45.3x.xxx.xxx]:25 > Jan 25 04:27:25 srchmx postfix/smtp[17317]: D04EE9086B: Cannot start TLS: > handshake failure You've obfuscated the destination IP address, so no independent checks of the server's TLS support are possible. > On the reciever end, that of my client that I do not control server the only > log sent to me only says > > ??? Jan 25 04:27:46 client1 postfix/smtpd[20478]: connect from > srchmx.myserver.com[171.2xx.xxx.xxx] > Jan 25 04:27:46 client1 postfix/smtpd[20478]: SSL_accept error from > srchmx.myserver.com[171.2xx.xxx.xxx]: lost connection > Jan 25 04:27:46 client1 postfix/smtpd[20478]: lost connection after > STARTTLS from http://srchmx.myserver.com[171.2xx.xxx.xxx] > Jan 25 04:27:46 client1 postfix/smtpd[20478]: disconnect from > srchmx.myserver.com[171.2xx.xxx.xxx] Resolving TLS handshake problems requires full-package PCAP captures and wireshark. > smtp_tls_loglevel = 3 Try loglevel = 1. > smtp_tls_ciphers = TLS_ECDHE_RSA_WITH_RSA_AES256_GCM_SHA384, high, medium The above is gibberish: http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_ciphers The documented syntax is *exactly one* of: null, export, low, medium, high The default is almost certainly good enough. Remove this setting. > smtp_tls_exclude_ciphers = aNULL, RC4 This too is unnecessary. > smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv3, !SSLv2 That's a terrible idea, the remote server probably does not support TLSv1.2. Restore the default or disable only: smtp_tls_mandatory_protocols = !SSLv2, !SSLv3 > smtp_tls_mandatory_ciphers = TLS_ECDHE_RSA_WITH_RSA_AES256_GCM_SHA384, high This is wrong. http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_ciphers > tls_policy > clientdomain.com encrypt > > I ask for help to learn how to troubleshoot this better.? Not to have it > fixed for me. Restore sensible default settings. Your efforts to make things more fashionably secure are counter-productive. -- Viktor.
