Wietse Venema:
> Roland Freikamp:
> > On 2020-05-15 12:56:18 -0400, Wietse Venema wrote:
> > > Roland Freikamp:
> > > > Hi,
> > > >
> > > > I recently upgraded my mailserver-linux-system, which also upgraded
> > > > Postfix
> > > > from 3.4.6 to 3.4.9, and renewed the TLS-certificates (Let's Encrypt).
> > > > The Postfix-configuration did not change.
> > > > Since then, some mails could not be delivered to my server, because it
> > > > seems that the mailservers could not agree on a TLS algorithm:
> > > >
> > > > postfix/smtpd[17880]: connect from ...[...]
> > > > postfix/smtpd[17880]: SSL_accept error from ...[...]: -1
> > > > postfix/smtpd[17880]: warning: TLS library problem: error:1417A0C1:SSL
> > > > routines:tls_post_process_client_hello:no shared
> > > > cipher:ssl/statem/statem_srvr.c:2282:
> > > > postfix/smtpd[17880]: lost connection after STARTTLS from ...[...]
> > > > postfix/smtpd[17880]: disconnect from ...[...] ehlo=1 starttls=0/1
> > > > commands=1/2
> > > >
> > > > Setting "smtpd_tls_ciphers = low" did not help; the only way to receive
> > > > the mails was disabling TLS completely ("smtpd_tls_security_level =
> > > > none").
> > > > But I would like to enable TLS again.
> > > >
> > > > Do you know what the reason could be and how it could be fixed?
> > > > (Change in Postfix default configuration? Bad certificate? Bad TLS
> > > > library?
> > > > Bad TLS on other mailserver?)
> > >
> > > The crystal ball isn't working. What is the output from:
> > > postconf -nf | grep tls
>
> grepp'ed with 'ciphers':
> > smtp_tls_ciphers = medium
> > smtp_tls_exclude_ciphers = aNULL,eNULL,CAMELLIA
> > smtp_tls_mandatory_ciphers = medium
> > tls_preempt_cipherlist = yes
>
> Before asking for help, try removing those settings.
The first three don't affect RECEIVING email, but the last one
may affect the cipher that is chosen. If changing that does not
make a difference then it is possible that the sender has some
exclusive cipher requirements.
Wietse
