Thanks for the reply. The configuration I am currently using is the following:
smtp_tls_exclude_ciphers = MD5,SRP,PSK,aDSS,kECDH,kDH,SEED,IDEA,RC2,RC5,RC4 smtp_tls_protocols = !SSLv2:!SSLv3 smtpd_tls_cert_file = /etc/pki/tls/certs/linux.ferozo.com.pem smtpd_tls_key_file = /etc/pki/tls/private/linux.ferozo.com.key smtpd_tls_security_level = may smtpd_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtpd_ssl_cache smtp_tls_security_level = may smtp_tls_session_cache_database = btree:/var/lib/postfix/ssl/smtp_ssl_cache Since I don't know how to solve the problem, I started to test configurations and wrote so fast that it didn't explain everything correctly. It seems strange to me because the connection was working correctly and no changes have been made to the settings. Here the configuration of the Exchange Server: https://freeimage.host/i/FNElne Any ideas?? El lun, 30 de nov. de 2020 a la(s) 16:20, Viktor Dukhovni ( postfix-us...@dukhovni.org) escribió: > On Mon, Nov 30, 2020 at 02:50:43PM -0300, SysAdmin EM wrote: > > > Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC: > > Cannot start TLS: handshake failure > > Nov 30 14:43:58 smarthost04-ded postfix-out/smtp[31323]: 0F6EE920CBC: > to=< > > fvid...@exchange.infoauto.com.ar>, relay=exet02.hostmar.com > [200.58.120.69]:25, > > delay=0.16, delays=0.14/0/0.03/0, dsn=4.7.5, status=deferred (Cannot > start > > TLS: handshake failure) > > With opportunistic TLS, after a TLS failure, Postfix will typically try > a second connection immediately without TLS once the message is "old > enough" (has been deferred and is being retried). So this message > is likely delivered by now. > > > posttls-finger -c -Ldebug "exet02.hostmar.com" > > posttls-finger: initializing the client-side TLS engine > > posttls-finger: setting up TLS connection to exet02.hostmar.com > [200.58.120.69]:25 > > > > posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list > > "aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH:!aNULL" > > posttls-finger: SSL_connect:before/connect initialization > > posttls-finger: SSL_connect:SSLv2/v3 write client hello A > > posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: > lost connection > > > # Postfix config > > > > mail_version = 3.5.2 > > > > smtpd_use_tls=yes > > smtp_use_tls=yes > > > > smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 > > smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 > > smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 > > smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1 > > You'd generally have better luck by not disabling TLSv1 and TLSv1.1, > these are the best available TLS versions for some email servers, and > are not weaker than falling back to cleartext. > > > smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 > > smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2 > > > > tls_high_cipherlist = > > > > kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5 > > This looks unwise. The default value is better. > > > smtp_tls_ciphers = high > > smtpd_tls_ciphers = high > > This can be too restrictive for some peer systems that only do (medium) > RC4. But in this case the server drops the connection immediately after > accepting the STARTTLS command, and before receiving the client TLS > HELLO. The outbound transmission of the client HELLO fails (presumably > a TCP RST arrived right after the STARTTLS ok): > > posttls-finger: initializing the client-side TLS engine > posttls-finger: Connected to exet02.hostmar.com[200.58.120.69]:25 > posttls-finger: < 220 HMEXCAS01.host.hm.local Microsoft ESMTP MAIL > Service ready at Mon, 30 Nov 2020 16:13:58 -0300 > posttls-finger: > EHLO [...] > posttls-finger: < 250-HMEXCAS01.host.hm.local Hello [...] > posttls-finger: < 250-SIZE > posttls-finger: < 250-PIPELINING > posttls-finger: < 250-DSN > posttls-finger: < 250-ENHANCEDSTATUSCODES > posttls-finger: < 250-STARTTLS > posttls-finger: < 250-X-ANONYMOUSTLS > posttls-finger: < 250-AUTH NTLM LOGIN > posttls-finger: < 250-X-EXPS GSSAPI NTLM > posttls-finger: < 250-8BITMIME > posttls-finger: < 250-BINARYMIME > posttls-finger: < 250-CHUNKING > posttls-finger: < 250-XEXCH50 > posttls-finger: < 250 XRDST > posttls-finger: > STARTTLS > posttls-finger: < 220 2.0.0 SMTP server ready > posttls-finger: setting up TLS connection to exet02.hostmar.com > [200.58.120.69]:25 > posttls-finger: exet02.hostmar.com[200.58.120.69]:25: TLS cipher list > "aNULL:-aNULL:HIGH:MEDIUM:@STRENGTH:+RC4:+3DES:!eNULL" > posttls-finger: SSL_connect:before SSL initialization > posttls-finger: SSL_connect:SSLv3/TLS write client hello > posttls-finger: SSL_connect:error in SSLv3/TLS write client hello > posttls-finger: SSL_connect error to exet02.hostmar.com[200.58.120.69]:25: > lost connection > > So there's no use trying to get TLS to work for this server, it's not > going to happen. > > -- > VIktor. >
