J?rg Backschues:
> Hello,
>
> can someone explain me why the 1st connection to the remote MX fails and
Because the TLS handshake fails.
> the 2nd connection is successful?
Because the TLS handshake succeeds. :-)
> Is this a kind of fallback?
Yes. As required by the SMTP protocol standard, Postfix will try
multiple MXes after a handshake error or other error. But it will
try no more than smtp_mx_address_limit IP addresses, and no more
than smtp_mx_session_limit SMTP sessions.
Wietse
> Thank you very much.
>
>
> Jan 25 21:14:56 mx00 postfix/smtp[212676]:
> mxin.upcmail.net[213.46.255.45]:25: TLS cipher list
> "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: looking for session
> smtp&unity-mail.de&mxin.upcmail.net&213.46.255.45&&77D8B78F5DA897AD64E46B0DA492CFBF7D937A85DC5EDD2EF07C44795165A9E1
>
> in smtp cache
> Jan 25 21:14:56 mx00 postfix/tlsmgr[5623]: lookup smtp session
> id=smtp&unity-mail.de&mxin.upcmail.net&213.46.255.45&&77D8B78F5DA897AD64E46B0DA492CFBF7D937A85DC5EDD2EF07C44795165A9E1
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: SSL3 alert
> read:fatal:handshake failure
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: SSL_connect:error in error
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: SSL_connect error to
> mxin.upcmail.net[213.46.255.45]:25: -1
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: warning: TLS library problem:
> error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
> failure:../ssl/record/rec_layer_s3.c:1543:SSL alert number 40:
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: remove session
> smtp&unity-mail.de&mxin.upcmail.net&213.46.255.45&&77D8B78F5DA897AD64E46B0DA492CFBF7D937A85DC5EDD2EF07C44795165A9E1
>
> from client cache
> Jan 25 21:14:56 mx00 postfix/tlsmgr[5623]: delete smtp session
> id=smtp&unity-mail.de&mxin.upcmail.net&213.46.255.45&&77D8B78F5DA897AD64E46B0DA492CFBF7D937A85DC5EDD2EF07C44795165A9E1
> Jan 25 21:14:56 lnxs001 postfix/smtp[212676]: 4DPh17737gz9rxf:
> to=<us...@unity-mail.de>, relay=mxin.upcmail.net[213.46.255.45]:25,
> delay=4.9, delays=4.1/0.24/0.6/0, dsn=4.7.5, status=deferred (Cannot
> start TLS: handshake failure)
> Jan 25 21:14:56 mx00 postfix/smtp[212676]: 4DPh17737gz9rxf:
> to=<us...@unity-mail.de>, relay=mxin.upcmail.net[213.46.255.45]:25,
> delay=4.9, delays=4.1/0.24/0.6/0, dsn=4.7.5, status=deferred (Cannot
> start TLS: handshake failure)
>
>
> Jan 25 21:23:22 mx00 postfix/smtp[213255]:
> mxin.upcmail.net[213.46.255.45]:25: TLS cipher list
> "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305"
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: looking for session
> smtp&unity-mail.de&mxin.upcmail.net&213.46.255.45&&77D8B78F5DA897AD64E46B0DA492CFBF7D937A85DC5EDD2EF07C44795165A9E1
>
> in smtp cache
> Jan 25 21:23:22 mx00 postfix/tlsmgr[5623]: lookup smtp session
> id=smtp&unity-mail.de&mxin.upcmail.net&213.46.255.45&&77D8B78F5DA897AD64E46B0DA492CFBF7D937A85DC5EDD2EF07C44795165A9E1
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: SSL_connect:before SSL
> initialization
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: SSL_connect:SSLv3/TLS write
> client hello
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: SSL3 alert
> read:fatal:handshake failure
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: SSL_connect:error in error
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: SSL_connect error to
> mxin.upcmail.net[213.46.255.45]:25: -1
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: warning: TLS library problem:
> error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
> failure:../ssl/record/rec_layer_s3.c:1543:SSL alert number 40:
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: remove session
> smtp&unity-mail.de&mxin.upcmail.net&213.46.255.45&&77D8B78F5DA897AD64E46B0DA492CFBF7D937A85DC5EDD2EF07C44795165A9E1
>
> from client cache
> Jan 25 21:23:22 mx00 postfix/tlsmgr[5623]: delete smtp session
> id=smtp&unity-mail.de&mxin.upcmail.net&213.46.255.45&&77D8B78F5DA897AD64E46B0DA492CFBF7D937A85DC5EDD2EF07C44795165A9E1
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: 4DPh17737gz9rxf: Cannot start
> TLS: handshake failure
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: Host offered STARTTLS:
> [mxin.upcmail.net]
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: 4DPh17737gz9rxf:
> to=<us...@unity-mail.de>, relay=mxin.upcmail.net[213.46.255.45]:25,
> delay=511, delays=510/0.05/0.23/0.38, dsn=2.0.0, status=sent (250 2.0.0
> MXIN650 mail accepted for delivery
> ;id=48OQluXZa2HRF48OQlKqf2;sid=48OQluXZa2HRF;mta=vie01a-pemc-pmxin-pe11;dt=2021-01-25T21:23:22+01:00;ipsrc=85.183.142.13;)
> Jan 25 21:23:22 mx00 postfix/smtp[213255]: 4DPh17737gz9rxf:
> to=<us...@unity-mail.de>, relay=mxin.upcmail.net[213.46.255.45]:25,
> delay=511, delays=510/0.05/0.23/0.38, dsn=2.0.0, status=sent (250 2.0.0
> MXIN650 mail accepted for delivery
> ;id=48OQluXZa2HRF48OQlKqf2;sid=48OQluXZa2HRF;mta=vie01a-pemc-pmxin-pe11;dt=2021-01-25T21:23:22+01:00;ipsrc=85.183.142.13;)
>
>
> postconf mail_version
> mail_version = 3.4.13
>
>
> # TLS
> tls_append_default_CA = yes
> smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> lmtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> tls_random_source = dev:/dev/urandom
> tls_ssl_options = NO_COMPRESSION,0x40000000
> tls_high_cipherlist =
> ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY
> 1305
>
>
> # outgoing TLS
> smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
> smtp_tls_ciphers = high
> smtp_tls_mandatory_ciphers = high
> smtp_tls_loglevel = 2
> smtp_tls_cert_file = /var/certs/backschues.net/cert.pem
> smtp_tls_key_file = /var/certs/backschues.net/privkey.pem
> smtp_tls_CAfile = /var/certs/backschues.net/chain.pem
> smtp_tls_CApath = /etc/ssl/certs
> smtp_tls_security_level = dane
> smtp_tls_note_starttls_offer = yes
> smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
> smtp_tls_policy_maps =
> hash:${config_directory}/policies/tls_policy_outgoing.hash,socketmap:inet:127.0.0.1:8461:postfix
>
>
> cipher list mxin.upcmail.net:
> TLSv1.2:
> | ciphers:
> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
> | TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> | compressors:
> | NULL
> | cipher preference: server
> | warnings:
> | Forward Secrecy not supported by any cipher
>
> --
> Kind Regards
> J?rg Backschues
>
