RE: Trouble with STARTTLS...Connection lost

Fri, 29 Jan 2021 00:23:00 -0800 

Hi Viktor,

Thank you for your suggestion, I made the changes as you suggested, but still 
seeing the same error. 

-----Original Message-----
From: owner-postfix-us...@postfix.org <owner-postfix-us...@postfix.org> On 
Behalf Of Viktor Dukhovni
Sent: Thursday, January 28, 2021 2:01 PM
To: postfix-users@postfix.org
Subject: Re: Trouble with STARTTLS...Connection lost

On Thu, Jan 28, 2021 at 09:48:13PM +0000, Chu, Uy wrote:

> smtp_tls_CAfile = /etc/postfix/ca.crt
> smtp_tls_ciphers = high
> smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, RC4, 
> aNULL smtp_tls_loglevel = 2

Not sure why you want to disable aNULL, or set the log level > 1.

> smtp_tls_mandatory_protocols = !SSLv2,!SSLv3 smtp_tls_protocols = 
> !SSLv2,!SSLv3

There are default values, no need to set them explicitly.

> smtp_tls_security_level = may
> smtp_use_tls = yes

The "smtp_use_tls" settings is obsolete and redundant.  You don't have any SMTP 
TLS policy table, so there's no need for "smtp_tls_CAfile", you don't verify 
any certificates.

> smtpd_tls_CAfile = /etc/postfix/ca.crt

You don't need a CAfile here either, since you don't solicit client certs.  The 
subject DNs of certs in the CAfile end up in the server handshake packets, and 
if there are too many can cause problems.

> smtpd_tls_key_file = /etc/postfix/smtpout_slac_stanford_edu.key
> smtpd_tls_cert_file = /etc/postfix/smtpout_slac_stanford_edu.crt

Make sure this includes any requisite intermediate CA certs.

> smtpd_tls_ciphers = high
> smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2, RC4, 
> aNULL

With these set, you should not also customise "tls_high_cipherlist" or 
"tls_medium_cipherlist".

> smtpd_tls_loglevel = 2

Likely too verbose.

> smtpd_tls_session_cache_database = 
> btree:${data_directory}/smtpd_scache

Typically not needed, Postfix 2.10 and up support session tickets instead.

> smtpd_use_tls = yes

Instead use "smtpd_tls_security_level = may"

> tls_high_cipherlist = 
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA
> :+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SE
> ED:!IDEA:!3DES tls_medium_cipherlist = 
> kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA
> :+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!I
> DEA:!3DES

Drop these overrides.

-- 
    Viktor.

Reply via email to