On Wed, Aug 19, 2015 at 07:49:42PM +0200, Michael Grimm wrote:
> > mx1.enfer-du-nord.net[87.98.149.189]:25: TLSv1 with cipher
> > DHE-RSA-AES256-SHA (256/256 bits)
>
> Yes, this is my receiving mailserver.
>
> One of the servers in question is one of the servers sending mail for this ML:
>
> Aug 19 19:08:29 <mail.info> mail postfix/smtpd[94303]: connect from
> russian-caravan.cloud9.net[2604:8d00:0:1::4]
> Aug 19 19:08:29 <mail.info> mail postfix/smtpd[94303]: SSL_accept error from
> russian-caravan.cloud9.net[2604:8d00:0:1::4]: lost connection
Works for me via IPv6 too:
$ posttls-finger -o inet_protocols=ipv6 -c -p TLSv1 -lmay -Lsummary \
-o "tls_medium_cipherlist=DHE-RSA-AES256-SHA" \
odo.in-berlin.de
posttls-finger: Untrusted TLS connection established to
mx1.enfer-du-nord.net[2001:41d0:8:67d4:1:1:0:1]:25: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
To debug further, we'd need a tcpdump full packet capture:
http://www.postfix.org/DEBUG_README.html#sniffer
(replace "example.com" with a suitable name or address).
> >> smtpd_tls_auth_only = yes
> >> smtpd_tls_security_level = may
> >> smtpd_tls_loglevel = 1
> >> smtpd_tls_cert_file = /path-to-pem/my-server.pem
> >> smtpd_tls_key_file = /path-to-pem/my-server.pem
> >> smtpd_tls_security_level = may
> >> smtpd_tls_protocols = !SSLv2 !SSLv3
> >> smtpd_tls_ciphers = medium
> >> smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
> >> smtpd_tls_mandatory_ciphers = high
> >> smtpd_tls_dh1024_param_file = /path-to-pem/dh-2048.pem
> >> smtpd_tls_dh512_param_file = /path-to-pem/dh-512.pem
> >
> > Looks good.
>
> I always tried to stick to the default. Thus, are my settings reported
> too far off default?
No, they're just right.
> I will revert back to OpenSLL. If you won't to investigate LibreSSL's
> behavior with regard to russian-caravan.cloud9.net any further, I am
> willing to keep my secondary mx to LibreSSL for the time being. If not,
> please let me know. Might have been too early for that switch to LibreSSL
I would not go out of my way to switch to LibreSSL at this time.
Use it if you're using OpenBSD, but stick with OpenSSL for now on
other platforms.
That said, it might be helpful to others to find out what
interoperability problem was introduced by LibreSSL 2.2.2.
So get a packet capture or two before reverting to OpenSSL.
--
Viktor.
