> On Dec 2, 2016, at 4:22 AM, Zalezny Niezalezny <zalezny.niezale...@gmail.com>
> wrote:
>
> Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: SSL_accept error from
> smtptransit.de.net.intra[152.21.2.44]: -1
> Dec 2 10:12:03 postfix-server01 postfix/smtpd[37036]: warning: TLS library
> problem: 37036:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:s3_srvr.c:1352:
Your Postfix SMTP server accepting an inbound connection could not
complete a TLS handshake with the remote SMTP client, because the
remote SMTP client's list of supported TLS ciphers, TLS signature
algorithms, supported EC curves, ... did not support any of the
corresponding parameter combinations available on your server.
For more detailed help, you should post more detail of your TLS
configuration. (The shell commands below assume a POSIX shell,
not csh or similar):
* What version of OpenSSL is your Postfix SMTP server linked with?
Post the output of:
$ openssl version -v -p
$ ldd $(type -p openssl)
$ ldd $(postconf -xh daemon_directory)/smtpd
* Post the output of:
$ postconf -n | egrep '^(smtpd_|)tls_'
* Post the output of (executed as root):
# for cert in $(postconf -xh smtpd_tls_cert_file smtpd_tls_eccert_file
smtpd_tls_dcert_file)
do
echo "$cert:"
openssl x509 -in $cert -subject -issuer -dates
done
* If the problem is ongoing capture some TCP traffic from that client:
# client=152.21.2.44
# ifname=eth0; : set ifname to match your external interface
# pcap=/var/tmp/$client.pcap
# (umask 077; tcpdump -c 1000 -i $ifname -s 0 -w $pcap host $client and
tcp port 25) &
This may be useful later. It will capture at most 1000 packets from/to
that
client. That is often enough to capture a few STARTTLS attempts. If
you're
unlucky, it will catch just a portion of a session that is sending a large
attachment, in that case you'll try again later...
--
--
Viktor.
