On Sun, 13 Sep 2015 15:54:45 +0000, Viktor Dukhovni stated:
> On Sun, Sep 13, 2015 at 11:37:07AM -0400, Postfix User wrote:
>
> > Sep 13 11:22:41 scorpio postfix/submission/smtpd[18955]: warning: TLS
> > library problem: error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> > shared cipher:s3_srvr.c:1413:
>
> Your problem is that in your Postfix SMTP server you've disabled
> all the SSL/TLS ciphers supported by the SMTP client. As Wietse
> noted, without any server configuration information, it is rather
> difficult to give a more detailed response.
Sorry Victor, I am an idiot. I fully meant to include all of that info, but I
simply forgot. Here it is. I used, I hope anyway, your recommendations for
what ciphers to allow.
$ postconf -nf
alias_maps = lmdb:/usr/local/etc/postfix/aliases
authorized_submit_users = !www, static:all
broken_sasl_auth_clients = yes
canonical_maps = lmdb:/usr/local/etc/postfix/canonical
command_directory = /usr/local/sbin
compatibility_level = 2
daemon_directory = /usr/local/libexec/postfix
data_directory = /var/db/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
default_database_type = lmdb
delay_warning_time = 12h
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
html_directory = /usr/local/share/doc/postfix
inet_protocols = ipv4
mail_owner = postfix
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
message_size_limit = 26214400
milter_default_action = accept
msa_tls_ciphers = medium
msa_tls_dh1024_param_file = ${config_directory}/dh2048.pem
msa_tls_exclude_ciphers = MD5, RC4, 3DES
msa_tls_protocols = !SSLv2, !SSLv3
mydestination =
mydomain = seibercom.net
myhostname = scorpio.seibercom.net
mynetworks = lmdb:/usr/local/etc/postfix/my-networks
myorigin = $mydomain
newaliases_path = /usr/local/bin/newaliases
queue_directory = /var/spool/postfix
readme_directory = /usr/local/share/doc/postfix
sample_directory = /usr/local/etc/postfix
sender_dependent_relayhost_maps = lmdb:/usr/local/etc/postfix/sender_relay
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
smtp_dns_support_level = dnssec
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = lmdb:/usr/local/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtp_tls_CApath = /usr/local/etc/postfix/certs/
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = MD5, SRP, PSK, aDSS, kECDH, kDH, SEED, IDEA, RC2, RC5
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = lmdb:/usr/local/etc/postfix/tls_policy
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = dane
smtp_tls_session_cache_database = btree:/var/db/postfix/smtp_tls_session_cache
smtpd_authorized_verp_clients = $mynetworks
smtpd_client_restrictions = permit_mynetworks reject_unknown_client_hostname
reject_unauth_pipelining permit_sasl_authenticated
smtpd_milters = unix:/var/run/clamav/clmilter.sock
smtpd_recipient_restrictions = reject_unauth_pipelining,
permit_sasl_authenticated permit_mynetworks, reject_unauth_destination
reject_rbl_client bl.spamcop.net permit
smtpd_reject_footer = For assistance, please provide the following information
in your problem report: time ($localtime), client ($client_address) and
server ($server_name).
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated
reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = no
smtpd_sasl_local_domain = $mydomain
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous, noplaintext
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_tls_CAfile = /usr/local/etc/postfix/certs/cacert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /usr/local/etc/postfix/certs/Postfix-cert.pem
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /usr/local/etc/postfix/ssl/DHparams/dh2048.pem
smtpd_tls_dh512_param_file = /usr/local/etc/postfix/ssl/DHparams/dh512.pem
smtpd_tls_exclude_ciphers = EXPORT, LOW
smtpd_tls_key_file = /usr/local/etc/postfix/certs/Postfix-key.pem
smtpd_tls_loglevel = 1
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database =
smtpd_use_tls = yes
tls_medium_cipherlist = AES128+EECDH:AES128+EDH
tls_random_source = dev:/dev/urandom
transport_maps = lmdb:/usr/local/etc/postfix/transport_maps
unknown_local_recipient_reject_code = 550
virtual_alias_maps = lmdb:/usr/local/etc/postfix/virtual_alias
virtual_gid_maps = static:1002
virtual_mailbox_base = /var/mail/vmail/
virtual_mailbox_domains = seibercom.net stemnc.org
virtual_mailbox_maps = lmdb:/usr/local/etc/postfix/vmailbox
virtual_minimum_uid = 100
virtual_transport = dovecot
virtual_uid_maps = static:1002
--
Jerry
