On 28 April 2018 at 15:43, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote: > > >> On Apr 28, 2018, at 3:40 AM, Dominic Raferd <domi...@timedicer.co.uk> wrote: >> >> So far I have one genuine sender that is failing TLS, but upon >> checking I see that it falls back to cleartext. > > It'd be interesting to know why that particular sender is having > trouble. Can you provide more detail? > > Some senders have SMTP client implementations that refuse to complete > a STARTTLS handshake when they can't verify the server's certificate > chain, but are then willing to send in the clear. The logic of > downgrading from unauthenticated encryption to unauthenticated cleartext > rather escapes me. :-) > > > http://postfix.1071664.n5.nabble.com/Another-yahoo-problem-tp89756p89769.html
Here are the relevant log entries: 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: connect from smtp1.finarea.ch[77.72.174.188] 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: SSL_accept error from smtp1.finarea.ch[77.72.174.188]: -1 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: warning: TLS library problem: error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960: 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: lost connection after STARTTLS from smtp1.finarea.ch[77.72.174.188] 2018-03-26 00:29:22 ourdomain postfix/smtpd[6043]: disconnect from smtp1.finarea.ch[77.72.174.188] ehlo=1 starttls=0/1 commands=1/2 2018-03-26 00:29:23 ourdomain postfix/smtpd[6043]: connect from smtp1.finarea.ch[77.72.174.188] 2018-03-26 00:29:23 ourdomain postfix/smtpd[6043]: 884A860167: client=smtp1.finarea.ch[77.72.174.188] 2018-03-26 00:29:23 ourdomain postfix/cleanup[6091]: 884A860167: message-id=<61f7f420541b2be8ac51dbe240ff2...@18185.co.uk> 2018-03-26 00:29:23 ourdomain opendmarc[1566]: 884A860167: SPF(mailfrom): donotre...@18185.co.uk fail 2018-03-26 00:29:23 ourdomain postfix/smtpd[6043]: disconnect from smtp1.finarea.ch[77.72.174.188] helo=1 mail=1 rcpt=1 data=1 quit=1 commands=5 ...continues to successful delivery... I've now found similar fall-backs for atlas.net.tr (Turkish service provider) - same TLS problem 'error:1408A10B:SSL routines:ssl3_get_client_hello:wrong version number:s3_srvr.c:960:'. I guess that (in both cases) this is because the incoming client is old and can't offer better security than SSL3 - which we reject. My TLS settings are pretty standard: # postconf -n|grep smtpd_tls|grep -v _file smtpd_tls_auth_only = yes smtpd_tls_loglevel = 1 smtpd_tls_security_level = may
