On Sun, Feb 23, 2020 at 10:45:14PM +0100, Michael wrote:

> After upgrading from debian stretch (providing postfix 3.1.14) to
> buster (providing postfix 3.4.8), I just found out that no incoming
> mail was received any longer.  Digging a little deeper showed me that
> turning of tls resolved this issue. but then again, there was no
> tls...
> 
> I would appreciate a little help on why postfix doesn't like my old
> settings any longer and what I have to change to get it working with
> 3.4.8.
> 
> 
> I used the very same main.cf and master.cf file with the following tls
> related settings:

> smtpd_tls_security_level = may
> smtpd_tls_loglevel = 1

That's fine, but not consistent with the verbose logging below, did you
temporarily set a higher log level?

> smtpd_tls_ciphers = low

These days, "medium" makes more sense, the "low" and "export"
ciphers are dead.

> here's what the log file says:
> Feb 22 08:50:07 mail postfix/smtpd[12952]: initializing the server-side TLS 
> engine
> Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from 
> bendel.debian.org[82.195.75.100]

TLS library initialization was successful.

> Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection from 
> bendel.debian.org[82.195.75.100]
> Feb 22 08:50:07 mail postfix/smtpd[12952]: bendel.debian.org[82.195.75.100]: 
> TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL"

That's the "low" cipherlist, so far so good...

> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL 
> initialization
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL 
> initialization
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read client 
> hello
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write server 
> hello
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write change 
> cipher spec
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write encrypted 
> extensions

Based on the TLS ClientHello, the server believes the client supports
TLS 1.3.

> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write 
> certificate request

And is soliciting a client certificate.

> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write 
> certificate

And sends its own.

> Feb 22 08:50:07 mail postfix/smtpd[12815]: SSL_accept error from 
> bendel.debian.org[82.195.75.100]: lost connection
> Feb 22 08:50:07 mail postfix/smtpd[12816]: SSL_accept error from 
> bendel.debian.org[82.195.75.100]: lost connection

These two are from an unrelated concurrent session and should be ignored.

> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write server 
> certificate verify

The server signs its certificate message.

> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write finished
> Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early data

And is now ready to hear back from the client, but what happened next?
This isn't the end of the logging from smtpd[12952]...

-- 
    Viktor.

Reply via email to