On 19.08.2015, at 18:58, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > On Wed, Aug 19, 2015 at 06:30:43PM +0200, Michael Grimm wrote:
>> This is postfix 3.0.2 and FreeBSD-10.2/STABLE. I switched from OpenSLL to >> LibreSSL some month ago. > > LibreSSL is not tested with Postfix, and so not officially supported. Understood. I will revert to OpenSLL, then. But see below. >> My relevant SSL/TLS settings for receiving mail didn't change ever since >> that time (postconf -n | grep tls | grep smtpd) > >> smtpd_use_tls = yes > > Obsolete. Thanks and removed. >> Previous LibreSSL 2.2.1: *all* those servers delivered their mail as >> reported by logwatch; example: >> >> 16 Anonymous: TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits) >> 1 1.2.3.4 xxx.xxx > > Well, LibreSSL 2.2.2 must have broken something. If you want more > help, you'll need to disclose the IP address of your server. > > The servers in question must be doing something more exotic than you > report (or I am testing the wrong server): > > $ posttls-finger -c -p TLSv1 -lsecure -Lsummary \ > -o "tls_medium_cipherlist=DHE-RSA-AES256-SHA" \ > odo.in-berlin.de > mx1.enfer-du-nord.net[87.98.149.189]:25: TLSv1 with cipher > DHE-RSA-AES256-SHA (256/256 bits) Yes, this is my receiving mailserver. One of the servers in question is one of the servers sending mail for this ML: Aug 19 19:08:29 <mail.info> mail postfix/smtpd[94303]: connect from russian-caravan.cloud9.net[2604:8d00:0:1::4] Aug 19 19:08:29 <mail.info> mail postfix/smtpd[94303]: SSL_accept error from russian-caravan.cloud9.net[2604:8d00:0:1::4]: lost connection Aug 19 19:08:29 <mail.info> mail postfix/smtpd[94303]: lost connection after STARTTLS from russian-caravan.cloud9.net[2604:8d00:0:1::4] Aug 19 19:08:29 <mail.info> mail postfix/smtpd[94303]: disconnect from russian-caravan.cloud9.net[2604:8d00:0:1::4] ehlo=1 starttls=0/1 commands=1/2 (JFTR: Those servers in question use IPv4 and IPv6) [Very informative information about SSL 3.0 ciphers removed. Thanks for that.] >> Sigh, I do have to admit that crypto configuration isn't well understood >> by myself, thus I feel lost here. But every hint is highly appreciated. > > Postfix default settings strive to free users of the burden of > becoming experts at cryptography. Use largely default settings, > or overrides recommended as sensible alternatives in the documentation. > > Plus the settings in my recent post on best practice TLS configuration. [quoting re-orderd] >> >> smtpd_tls_auth_only = yes >> smtpd_tls_security_level = may >> smtpd_tls_loglevel = 1 >> smtpd_tls_cert_file = /path-to-pem/my-server.pem >> smtpd_tls_key_file = /path-to-pem/my-server.pem >> smtpd_tls_security_level = may >> smtpd_tls_protocols = !SSLv2 !SSLv3 >> smtpd_tls_ciphers = medium >> smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3 >> smtpd_tls_mandatory_ciphers = high >> smtpd_tls_dh1024_param_file = /path-to-pem/dh-2048.pem >> smtpd_tls_dh512_param_file = /path-to-pem/dh-512.pem > > Looks good. I always tried to stick to the default. Thus, are my settings reported too far off default? I will revert back to OpenSLL. If you won't to investigate LibreSSL's behavior with regard to russian-caravan.cloud9.net any further, I am willing to keep my secondary mx to LibreSSL for the time being. If not, please let me know. Might have been too early for that switch to LibreSSL ... Thanks for your input and with kind regards, Michael
