Dear people:
I have a small server with few email accounts no more than 10. only 3
customers connect with the server.
2 customers connect without problem, desktop and phone.
1 customer connect with phone, but have problems with their windows 10 PC
To the customer simply show a message, the server do not allow cypher type.
The server show this in the log
2016-01-29T13:51:45.379788-03:00 schweb postfix/smtpd[26675]: initializing the
server-side TLS engine
2016-01-29T13:51:45.650969-03:00 schweb postfix/smtpd[26675]: warning:
hostname 191-113-58----.baf.movistar.cl does not resolve to address
191.113.58.---: Name or service not known
2016-01-29T13:51:45.652101-03:00 schweb postfix/smtpd[26675]: connect from
unknown[191.113.58.---]
2016-01-29T13:51:45.725562-03:00 schweb postfix/smtpd[26675]: lost connection
after UNKNOWN from unknown[191.113.58.___]
2016-01-29T13:51:45.729548-03:00 schweb postfix/smtpd[26675]: disconnect from
unknown[191.113.58.---]
2016-01-29T13:52:26.443740-03:00 schweb postfix/smtpd[26675]: warning:
hostname 191-113-58----.baf.movistar.cl does not resolve to address
191.113.58.---: Name or service not known
2016-01-29T13:52:26.444951-03:00 schweb postfix/smtpd[26675]: connect from
unknown[191.113.58.---]
2016-01-29T13:52:26.569998-03:00 schweb postfix/smtpd[26675]: setting up TLS
connection from unknown[191.113.58.---]
2016-01-29T13:52:26.571189-03:00 schweb postfix/smtpd[26675]:
unknown[191.113.58.---]: TLS cipher list "aNULL:-aNULL:ALL:+RC4:@STRENGTH"
2016-01-29T13:52:26.575515-03:00 schweb postfix/smtpd[26675]:
SSL_accept:before/accept initialization
2016-01-29T13:52:26.634822-03:00 schweb postfix/smtpd[26675]: SSL_accept:SSLv3
read client hello A
2016-01-29T13:52:26.636544-03:00 schweb postfix/smtpd[26675]: SSL_accept:SSLv3
write server hello A
2016-01-29T13:52:26.640005-03:00 schweb postfix/smtpd[26675]: SSL_accept:SSLv3
write certificate A
2016-01-29T13:52:26.667068-03:00 schweb postfix/smtpd[26675]: SSL_accept:SSLv3
write key exchange A
2016-01-29T13:52:26.672211-03:00 schweb postfix/smtpd[26675]: SSL_accept:SSLv3
write server done A
2016-01-29T13:52:26.675273-03:00 schweb postfix/smtpd[26675]: SSL_accept:SSLv3
flush data
2016-01-29T13:52:26.759913-03:00 schweb postfix/smtpd[26675]: SSL3 alert
write:fatal:protocol version
2016-01-29T13:52:26.761171-03:00 schweb postfix/smtpd[26675]: SSL_accept:error
in SSLv3 read client certificate A
2016-01-29T13:52:26.761944-03:00 schweb postfix/smtpd[26675]: SSL_accept error
from unknown[191.113.58.---]: -1
2016-01-29T13:52:26.768228-03:00 schweb postfix/smtpd[26675]: warning: TLS
library problem: 26675:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong
version number:s3_pkt.c:345:
2016-01-29T13:52:26.776322-03:00 schweb postfix/smtpd[26675]: lost connection
after STARTTLS from unknown[191.113.58.---]
2016-01-29T13:52:26.777854-03:00 schweb postfix/smtpd[26675]: disconnect from
unknown[191.113.58.---]
The config file
postconf |grep "tls"
lmtp_enforce_tls = no
lmtp_sasl_tls_security_options = $lmtp_sasl_security_options
lmtp_sasl_tls_verified_security_options = $lmtp_sasl_tls_security_options
lmtp_starttls_timeout = 300s
lmtp_tls_CAfile =
lmtp_tls_CApath =
lmtp_tls_block_early_mail_reply = no
lmtp_tls_cert_file =
lmtp_tls_ciphers = export
lmtp_tls_dcert_file =
lmtp_tls_dkey_file = $lmtp_tls_dcert_file
lmtp_tls_eccert_file =
lmtp_tls_eckey_file = $lmtp_tls_eccert_file
lmtp_tls_enforce_peername = yes
lmtp_tls_exclude_ciphers =
lmtp_tls_fingerprint_cert_match =
lmtp_tls_fingerprint_digest = md5
lmtp_tls_key_file = $lmtp_tls_cert_file
lmtp_tls_loglevel = 0
lmtp_tls_mandatory_ciphers = medium
lmtp_tls_mandatory_exclude_ciphers =
lmtp_tls_mandatory_protocols = !SSLv2
lmtp_tls_note_starttls_offer = no
lmtp_tls_per_site =
lmtp_tls_policy_maps =
lmtp_tls_protocols = !SSLv2
lmtp_tls_scert_verifydepth = 9
lmtp_tls_secure_cert_match = nexthop
lmtp_tls_security_level =
lmtp_tls_session_cache_database =
lmtp_tls_session_cache_timeout = 3600s
lmtp_tls_verify_cert_match = hostname
lmtp_use_tls = no
milter_helo_macros = {tls_version} {cipher} {cipher_bits} {cert_subject}
{cert_issuer}
postscreen_enforce_tls = $smtpd_enforce_tls
postscreen_tls_security_level = $smtpd_tls_security_level
postscreen_use_tls = $smtpd_use_tls
smtp_enforce_tls = no
smtp_sasl_tls_security_options = $smtp_sasl_security_options
smtp_sasl_tls_verified_security_options = $smtp_sasl_tls_security_options
smtp_starttls_timeout = 300s
smtp_tls_CAfile =
smtp_tls_CApath =
smtp_tls_block_early_mail_reply = no
smtp_tls_cert_file =
smtp_tls_ciphers = export
smtp_tls_dcert_file =
smtp_tls_dkey_file = $smtp_tls_dcert_file
smtp_tls_eccert_file =
smtp_tls_eckey_file = $smtp_tls_eccert_file
smtp_tls_enforce_peername = yes
smtp_tls_exclude_ciphers =
smtp_tls_fingerprint_cert_match =
smtp_tls_fingerprint_digest = md5
smtp_tls_key_file = $smtp_tls_cert_file
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers =
smtp_tls_mandatory_protocols = !SSLv2
smtp_tls_note_starttls_offer = no
smtp_tls_per_site =
smtp_tls_policy_maps =
smtp_tls_protocols = !SSLv2
smtp_tls_scert_verifydepth = 9
smtp_tls_secure_cert_match = nexthop, dot-nexthop
smtp_tls_security_level =
smtp_tls_session_cache_database =
smtp_tls_session_cache_timeout = 3600s
smtp_tls_verify_cert_match = hostname
smtp_use_tls = yes
smtpd_client_new_tls_session_rate_limit = 10
smtpd_enforce_tls = no
smtpd_sasl_tls_security_options = $smtpd_sasl_security_options
smtpd_starttls_timeout = ${stress?10}${stress:300}s
smtpd_tls_CAfile = /etc/postfix/ssl/ca.crt
smtpd_tls_CApath =
smtpd_tls_always_issue_session_ids = yes
smtpd_tls_ask_ccert = no
smtpd_tls_auth_only = yes
smtpd_tls_ccert_verifydepth = 9
smtpd_tls_cert_file = /etc/postfix/ssl/cert.pem
smtpd_tls_ciphers = export
smtpd_tls_dcert_file =
smtpd_tls_dh1024_param_file =
smtpd_tls_dh512_param_file =
smtpd_tls_dkey_file = $smtpd_tls_dcert_file
smtpd_tls_eccert_file =
smtpd_tls_eckey_file = $smtpd_tls_eccert_file
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers =
smtpd_tls_fingerprint_digest = md5
smtpd_tls_key_file = /etc/postfix/ssl/key.pem
smtpd_tls_loglevel = 2
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers =
smtpd_tls_mandatory_protocols = !SSLv3,!TLSv1,!TLSv1.1,!TLSv1.2
smtpd_tls_protocols =
smtpd_tls_received_header = yes
smtpd_tls_req_ccert = no
smtpd_tls_security_level =
smtpd_tls_session_cache_database =
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_wrappermode = no
smtpd_use_tls = yes
tls_append_default_CA = no
tls_daemon_random_bytes = 32
tls_disable_workarounds =
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_export_cipherlist = aNULL:-aNULL:ALL:+RC4:@STRENGTH
tls_high_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:!MEDIUM:+RC4:@STRENGTH
tls_legacy_public_key_fingerprints = no
tls_low_cipherlist = aNULL:-aNULL:ALL:!EXPORT:+RC4:@STRENGTH
tls_medium_cipherlist = aNULL:-aNULL:ALL:!EXPORT:!LOW:+RC4:@STRENGTH
tls_null_cipherlist = eNULL:!aNULL
tls_preempt_cipherlist = no
tls_random_bytes = 32
tls_random_exchange_name = ${data_directory}/prng_exch
tls_random_prng_update_period = 3600s
tls_random_reseed_period = 3600s
tls_random_source = dev:/dev/urandom
tlsproxy_enforce_tls = $smtpd_enforce_tls
tlsproxy_service_name = tlsproxy
tlsproxy_tls_CAfile = $smtpd_tls_CAfile
tlsproxy_tls_CApath = $smtpd_tls_CApath
tlsproxy_tls_always_issue_session_ids = $smtpd_tls_always_issue_session_ids
tlsproxy_tls_ask_ccert = $smtpd_tls_ask_ccert
tlsproxy_tls_ccert_verifydepth = $smtpd_tls_ccert_verifydepth
tlsproxy_tls_cert_file = $smtpd_tls_cert_file
tlsproxy_tls_ciphers = $smtpd_tls_ciphers
tlsproxy_tls_dcert_file = $smtpd_tls_dcert_file
tlsproxy_tls_dh1024_param_file = $smtpd_tls_dh1024_param_file
tlsproxy_tls_dh512_param_file = $smtpd_tls_dh512_param_file
tlsproxy_tls_dkey_file = $smtpd_tls_dkey_file
tlsproxy_tls_eccert_file = $smtpd_tls_eccert_file
tlsproxy_tls_eckey_file = $smtpd_tls_eckey_file
tlsproxy_tls_eecdh_grade = $smtpd_tls_eecdh_grade
tlsproxy_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
tlsproxy_tls_fingerprint_digest = $smtpd_tls_fingerprint_digest
tlsproxy_tls_key_file = $smtpd_tls_key_file
tlsproxy_tls_loglevel = $smtpd_tls_loglevel
tlsproxy_tls_mandatory_ciphers = $smtpd_tls_mandatory_ciphers
tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
tlsproxy_tls_req_ccert = $smtpd_tls_req_ccert
tlsproxy_tls_security_level = $smtpd_tls_security_level
tlsproxy_tls_session_cache_timeout = $smtpd_tls_session_cache_timeout
tlsproxy_use_tls = $smtpd_use_tls
tlsproxy_watchdog_timeout = 10s
any clue is appreciated.
Best Regards
Christian
--
En un mundo sin fronteras.... ¿Quién necesita Puertas y Ventanas?
EN INGLES: In a world without frontiers, who needs Gates and Windows
http://www.schdev.com.ar
http://gnc2.schdev.com.ar
