On Sun, Feb 23, 2020 at 10:45:14PM +0100, Michael wrote: > After upgrading from debian stretch (providing postfix 3.1.14) to > buster (providing postfix 3.4.8), I just found out that no incoming > mail was received any longer. Digging a little deeper showed me that > turning of tls resolved this issue. but then again, there was no > tls... > > I would appreciate a little help on why postfix doesn't like my old > settings any longer and what I have to change to get it working with > 3.4.8. > > > I used the very same main.cf and master.cf file with the following tls > related settings:
> smtpd_tls_security_level = may > smtpd_tls_loglevel = 1 That's fine, but not consistent with the verbose logging below, did you temporarily set a higher log level? > smtpd_tls_ciphers = low These days, "medium" makes more sense, the "low" and "export" ciphers are dead. > here's what the log file says: > Feb 22 08:50:07 mail postfix/smtpd[12952]: initializing the server-side TLS > engine > Feb 22 08:50:07 mail postfix/smtpd[12952]: connect from > bendel.debian.org[82.195.75.100] TLS library initialization was successful. > Feb 22 08:50:07 mail postfix/smtpd[12952]: setting up TLS connection from > bendel.debian.org[82.195.75.100] > Feb 22 08:50:07 mail postfix/smtpd[12952]: bendel.debian.org[82.195.75.100]: > TLS cipher list "aNULL:-aNULL:HIGH:MEDIUM:LOW:+RC4:@STRENGTH:!aNULL" That's the "low" cipherlist, so far so good... > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL > initialization > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:before SSL > initialization > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS read client > hello > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write server > hello > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write change > cipher spec > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write encrypted > extensions Based on the TLS ClientHello, the server believes the client supports TLS 1.3. > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write > certificate request And is soliciting a client certificate. > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write > certificate And sends its own. > Feb 22 08:50:07 mail postfix/smtpd[12815]: SSL_accept error from > bendel.debian.org[82.195.75.100]: lost connection > Feb 22 08:50:07 mail postfix/smtpd[12816]: SSL_accept error from > bendel.debian.org[82.195.75.100]: lost connection These two are from an unrelated concurrent session and should be ignored. > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 write server > certificate verify The server signs its certificate message. > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:SSLv3/TLS write finished > Feb 22 08:50:07 mail postfix/smtpd[12952]: SSL_accept:TLSv1.3 early data And is now ready to hear back from the client, but what happened next? This isn't the end of the logging from smtpd[12952]... -- Viktor.