Re: Postfix cannot start tls: handshake failure

Viktor Dukhovni Mon, 27 Mar 2017 10:24:17 -0700

> On Mar 27, 2017, at 1:09 PM, oakley <femarkw...@gmail.com> wrote:
> 
> SSL_connect error to email-smtp.eu-west-1.amazonaws.com[52.51.114.192]:25: -1
> 
> localhost postfix/smtp[2100]: warning: TLS library problem:
>     error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:
>     unknown protocol:s23_clnt.c:794:93591BEF30:
>     Cannot start TLS: handshake failure
> 
> relayhost = [email-smtp.eu-west-1.amazonaws.com]:25


Double check that this is the correct relay to use.  Typically,
providers operate SMTP submission services on port 587 (STARTTLS)
or 465 (SMTP inside SSL/TLS).  Port 25 is rarely used for submission,
but when it is, it operates similarly to port 587.

> smtp_sasl_auth_enable = yes
> smtp_sasl_security_options = noanonymous
> smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
> smtp_use_tls = yes

You don't need "smtp_use_tls = yes", since you already have
the non-obsolete "smtp_tls_security_level = encrypt".

> smtp_tls_note_starttls_offer = yes

Not needed.

> smtp_tls_wrappermode = yes

This is the source of your problem, this setting implements the "SMTP
inside SSL/TLS" operating mode used on port 465, and is NOT compatible
with STARTTLS on ports 587 and 25.

> smtp_tls_security_level = encrypt
> smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

With this, depending on the certificate chain of the relay, you
may eventually be able to use "smtp_tls_security_level = secure",
which you should try after fixing all the other problems.

-- 
        Viktor.

Re: Postfix cannot start tls: handshake failure

Reply via email to