On 2020-05-17 12:07:29 -0600, @lbutlr wrote:
> > postfix/smtpd[17880]: connect from ...[...]
> > postfix/smtpd[17880]: SSL_accept error from ...[...]: -1
> > postfix/smtpd[17880]: warning: TLS library problem: error:1417A0C1:SSL
> > routines:tls_post_process_client_hello:no shared
> > cipher:ssl/statem/statem_srvr.c:2282:
> > postfix/smtpd[17880]: lost connection after STARTTLS from ...[...]
> > postfix/smtpd[17880]: disconnect from ...[...] ehlo=1 starttls=0/1
> > commands=1/2
>
> Are you requiring that mailservers connect only with TLS?
No.
> I suspect you are, and that you new upgrade has removed support for the EOLed
> TLSv1.0 and TLSv1.1.
No, TLSv1.0 and v1.1 are still active; the problem was the
non-RSA-certificate.
> Normally, a failed negotiation of TLS on smtpd will result in the connection
> continuing with no encryption.
Unfortunately, not in this case.
It looks like if the other mailserver does not know the
certificate-type, it does not retry without encryption.
> You should probably have:
> smtpd_tls_security_level = may
As I wrote before: I have.
> > did not help; the only way to receive
> > the mails was disabling TLS completely ("smtpd_tls_security_level = none").
> > But I would like to enable TLS again.
>
> Then your setting should almost certainly be ‘may’ if you want to receive
> mail from this server.
I have tested this, and that does not help here.
> > (Change in Postfix default configuration? Bad certificate? Bad TLS library?
> > Bad TLS on other mailserver?)
>
> Spammer scum, most likely.
No, definitely not.
The problem were incompatible certificate-types (ec384, which were not
supported by the other mailserver). Switching to RSA certificates, and
everything worked again.
Roland
