On Mon, Nov 30, 2020 at 02:50:43PM -0300, SysAdmin EM wrote:
> Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC:
> Cannot start TLS: handshake failure
> Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC: to=<
> fvid...@exchange.infoauto.com.ar>, relay=exet02.hostmar.com[200.58.120.69]:25,
> delay=0.16, delays=0.14/0/0.03/0, dsn=4.7.5, status=deferred (Cannot start
> TLS: handshake failure)
With opportunistic TLS, after a TLS failure, Postfix will typically try
a second connection immediately without TLS once the message is "old
enough" (has been deferred and is being retried). So this message
is likely delivered by now.
> posttls-finger -c -Ldebug "exet02.hostmar.com"
> posttls-finger: initializing the client-side TLS engine
> posttls-finger: setting up TLS connection to
> exet02.hostmar.com[200.58.120.69]:25
>
> posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list
> "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL"
> posttls-finger: SSL_connect:before/connect initialization
> posttls-finger: SSL_connect:SSLv2/v3 write client hello A
> posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25:
> lost connection
> # Postfix config
>
> mail_version = 3.5.2
>
> smtpd_use_tls=yes
> smtp_use_tls=yes
>
> smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
> smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
You'd generally have better luck by not disabling TLSv1 and TLSv1.1,
these are the best available TLS versions for some email servers, and
are not weaker than falling back to cleartext.
> smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
> smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
>
> tls_high_cipherlist =
>
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5
This looks unwise. The default value is better.
> smtp_tls_ciphers = high
> smtpd_tls_ciphers = high
This can be too restrictive for some peer systems that only do (medium)
RC4. But in this case the server drops the connection immediately after
accepting the STARTTLS command, and before receiving the client TLS
HELLO. The outbound transmission of the client HELLO fails (presumably
a TCP RST arrived right after the STARTTLS ok):
posttls-finger: initializing the client-side TLS engine
posttls-finger: Connected to exet02.hostmar.com[200.58.120.69]:25
posttls-finger: < 220 HMEXCAS01.host.hm.local Microsoft ESMTP MAIL Service
ready at Mon, 30 Nov 2020 16:13:58 -0300
posttls-finger: > EHLO [...]
posttls-finger: < 250-HMEXCAS01.host.hm.local Hello [...]
posttls-finger: < 250-SIZE
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-DSN
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-STARTTLS
posttls-finger: < 250-X-ANONYMOUSTLS
posttls-finger: < 250-AUTH NTLM LOGIN
posttls-finger: < 250-X-EXPS GSSAPI NTLM
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-BINARYMIME
posttls-finger: < 250-CHUNKING
posttls-finger: < 250-XEXCH50
posttls-finger: < 250 XRDST
posttls-finger: > STARTTLS
posttls-finger: < 220 2.0.0 SMTP server ready
posttls-finger: setting up TLS connection to
exet02.hostmar.com[200.58.120.69]:25
posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH:+RC4:+3DES:!eNULL"
posttls-finger: SSL_connect:before SSL initialization
posttls-finger: SSL_connect:SSLv3/TLS write client hello
posttls-finger: SSL_connect:error in SSLv3/TLS write client hello
posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25:
lost connection
So there's no use trying to get TLS to work for this server, it's not
going to happen.
--
VIktor.
