On Wed, Oct 25, 2017, at 03:39 AM, Petri Riihikallio wrote: > You and UPS require different sets of ciphers and have none in common. Either > you have tinkered with server cipher requirements or UPS has edited their > client cipher list. Check your postconf -n to find out if its you. > http://www.postfix.org/TLS_README.html#server_cipher > > Testing with openssl s_client doesn’t prove anything about Postfix cipher > settings (except that the connection is possible if no setting denies it.) > > The general rule is to use the defaults. Postfix defaults are set to err on > the safe side. You’ll gain very little by altering them. If you try to > “harden” Postfix you usually end up with no connection or fall back to > plaintext.
I checked the server and this is how it's configured postconf -n | grep smtpd | grep tls | grep ciphers smtpd_tls_ciphers = medium smtpd_tls_exclude_ciphers = EXPORT, LOW, RC4, eNULL, NULL smtpd_tls_mandatory_ciphers = medium smtpd_tls_mandatory_exclude_ciphers = aNULL tlsproxy_tls_mandatory_exclude_ciphers = $smtpd_tls_mandatory_exclude_ciphers postconf -n | grep smtpd | grep tls | grep protocols smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 smtpd_tls_protocols = !SSLv2, !SSLv3 tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols tlsproxy_tls_protocols = $smtpd_tls_protocols Checking the logs for last 6 months, this is the ONLY domain that these errors exist for. I guess Any way to check what THEY are trying to use? Which cipher? Dave
