I have a basic postfix setup that's been working fine for a long time, but recently, I've been seeing errors with a number of sites:
"Cannot start TLS: handshake failure" Here are some specific sites where I'm seeing this issue: SSL_connect error to 23.25.38.217 [23.25.38.217] SSL_connect error to 108.247.226.220 [108.247.226.220] SSL_connect error to 216.167.201.250 [216.167.201.250] And so on. I have minimal settings in my main.cf <http://main.cf/> for smtp_tls_* settings - most of the settings are simply the defaults. smtp_use_tls = yes smtp_tls_security_level = may smtp_tls_session_cache_timeout = 3600s smtp_tls_CApath = <path> smtp_tls_key_file = <key file> smtp_tls_cert_file = <cert file> smtp_tls_CAfile = <ca file> And I've tried this, thinking that it could be an issue with the selected ciphers, but it makes no difference: smtp_tls_exclude_ciphers = 3DES DES 2015-04-29T22:36:51+0000 server.domain.com <http://server.domain.com/> postfix-gw/smtp[29844]: setting up TLS connection to mail.mlmatthews.com <http://mail.mlmatthews.com/>[23.25.38.217]:25 2015-04-29T22:36:51+0000 server.domain.com <http://server.domain.com/> postfix-gw/smtp[29844]: mail.mlmatthews.com <http://mail.mlmatthews.com/>[23.25.38.217]:25: TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:EXPORT:+RC4:@STRENGTH:!3DES:!DES" 2015-04-29T22:36:51+0000 server.domain.com <http://server.domain.com/> postfix-gw/smtp[29844]: SSL_connect:before/connect initialization 2015-04-29T22:36:51+0000 server.domain.com <http://server.domain.com/> postfix-gw/smtp[29844]: SSL_connect:SSLv2/v3 write client hello A 2015-04-29T22:36:51+0000 server.domain.com <http://server.domain.com/> postfix-gw/smtp[29844]: SSL_connect error to mail.mlmatthews.com <http://mail.mlmatthews.com/>[23.25.38.217]:25: lost connection 2015-04-29T22:36:51+0000 server.domain.com <http://server.domain.com/> postfix-gw/smtp[29844]: 3lcZT61sm7z5wjJ: to=<user @mlmatthews.com <http://mlmatthews.com/>>, relay=mail.mlmatthews.com <http://mail.mlmatthews.com/>[23.25.38.217]:25, delay=8.8, delays=8.5/0.26/0.05/0, dsn=4.7.5, status=undeliverable-but-not-cached (Cannot start TLS: handshake failure) Here's what I'm running: postfix 3.1-20150421 CentOS release 6.6 (Final) openssl-1.0.1e-30.el6.8.x86_64 openssl-devel-1.0.1e-30.el6.8.x86_64 Any suggestions about what is going on here? Did something recently change with either openssl or with MS Exchange? Many, although not all the servers where I see this happening are exchange servers, but I don't have enough data to say that's definitive.
