Hello Viktor > Your logs are too verbose. This just hides the real problem in a torrent of > noise.
This surprised me because we alway increase the logging when there is trouble right? But it was the most help! > Resolving TLS handshake problems requires full-package PCAP captures and > wireshark. I will learn to use the wireshark program. It is new for me but looks like it is powerful and I will have real benefits from it. > Try loglevel = 1. smtp_tls_loglevel = 1 This makes it eazier to read the logs. > smtp_tls_ciphers = TLS_ECDHE_RSA_WITH_RSA_AES256_GCM_SHA384, high, medium > The above is gibberish: Okay anyway I missed the info too. This was the magic. I made a mistake thinking the other parameters using lists of ciphers would be like here too. But only one. > http://www.postfix.org/postconf.5.html#smtp_tls_mandatory_ciphers > The documented syntax is *exactly one* of: > null, export, low, medium, high Since it is only one connection from my server to his client server and none other on the internet I changed the config to smtp_tls_ciphers = HIGH > smtp_tls_exclude_ciphers = aNULL, RC4 > This too is unnecessary. That surprises me too. I read many times that we must not use those ciphers. And the default is smtp_tls_exclude_ciphers (default: empty) So we have to set it right? > smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv3, !SSLv2 > That's a terrible idea, the remote server probably does not support > TLSv1.2. Restore the default or disable only: It does support TLSv1.2. And the client only wants TLSv1.2 the high-bit elliptical cipher. So I change to smtp_tls_mandatory_protocols = !TLSv1.1, !TLSv1, !SSLv3, !SSLv2 smtp_tls_mandatory_ciphers = TLS_ECDHE_RSA_WITH_RSA_AES256_GCM_SHA384 Of course for the outside internet I do not use those. And now everything works like perfect! Jan 25 21:09:16 srchmx postfix/smtp[9282]: Trusted TLS connection established to http://client1.clientdomain.com[45.3x.xxx.xxx]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits) Jan 25 21:09:18 srchmx postfix/smtp[9282]: A450E8F46B: to=<srcht...@clientdomain.com>, relay=http://client1.clientdomain.com[45.3x.xxx.xxx]:25, delay=2.5, delays=0.01/0.01/0.59/1.9, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 10F87101791) and the mail is relayed and delivered like I hoped it. The points you made available were good to learn and made it needed to think thrugh the details again with better understanding. Thank you for the advise. *S*
