Hello,
today I noticed a significant amount of TLS failures in my postfix log.
Oct 11 17:43:35 mta postfix/smtpd[23847]: SSL_accept error from
client.example[192.0.2.25]:34152: -1
I traced some sessions and found the problematic client is announcing
the special cipher "TLS_FALLBACK_SCSV"
in a TLSv1.2 ClientHello message. Now, as my server support TLSv1.3,
my SSL library (openssl-1.1.1) assume a downgrade attack an close the
connection with an SSL error message "inappropriate fallback"
The core issue is a client with a nonconforming TLS implementation.
To circumvent the problem I tried to disable TLS1.3 on my server by setting
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1.3
But that does not help.
The Client still fail an deliver the message by falling back to plain text :-/
The only option to force encrypted traffic again would be a library
downgrade on my side.
Any other suggestions?
Andreas
