On Sun, Nov 01, 2015 at 02:49:20PM -0500, David Mehler wrote:
> Still stuck. I've got the below not sure if it helps, it does show
> that on 143 and 587 client wise no peer is being sent or verified.
>
> openssl s_client -starttls smtp -connect localhost:587
> CONNECTED(00000003)
> 34379270664:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
> protocol:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:782:
The thing on port 587 is not speaking any recognizable form of TLS.
Logs from the peer would be quite useful in this context.
> openssl s_client -starttls smtp -connect localhost:143
> CONNECTED(00000003)
Well, port 143 speaks IMAP not SMTP so "starttls smtp" is not
likely to get far for that port.
> # TLS parameters
> smtpd_tls_auth_only = yes
> smtpd_tls_mandatory_ciphers = high
> smtpd_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
> CBC3-SHA
That looks rather like a random hodge-podge. Try:
smtpd_tls_ciphers = medium
instead.
> smtp_tls_mandatory_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4,
> MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5,
> CBC3-SHA
Ditto.
> Any help appreciated.
Logs.
--
Viktor.
