On March 30, 2021 7:08:39 AM GMT+02:00, "DEPRÉ Gaëtan - NGServers.com"
<gde...@ngservers.com> wrote:
>Hi !
>
>
>
>While trying to send an email to some...@orange.fr
><mailto:some...@orange.fr> , I get this error log :
>
>
>
>Mar 30 06:47:39 mail postfix/qmgr[18959]: 29D0248A23DC:
>from=x...@domain.dom
><mailto:x...@domain.dom> , size=93541, nrcpt=1 (queue active)
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to
>smtp-in.orange.fr[80.12.242.9]:25: -1
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem:
>error:1425F102:SSL routines:ssl_choose_client_version:unsupported
>protocol:../ssl/statem/statem_lib.c:1929:
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC: Cannot start
>TLS:
>handshake failure
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: SSL_connect error to
>smtp-in.orange.fr[193.252.22.65]:25: -1
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: warning: TLS library problem:
>error:1425F102:SSL routines:ssl_choose_client_version:unsupported
>protocol:../ssl/statem/statem_lib.c:1929:
>
>Mar 30 06:47:39 mail postfix/smtp[24365]: 29D0248A23DC:
>to=y...@orange.fr,
>relay=smtp-in.orange.fr[193.252.22.65]:25, delay=0.52,
>delays=0.29/0.01/0.22/0, dsn=4.7.5, status=deferred (Cannot start TLS:
>handshake failure)
>
>Mar 30 06:47:41 mail postfix/submission/smtpd[24351]: disconnect from
>lfbn-nan-xxx.abo.wanadoo.fr[xx.yy.zz.xx] ehlo=2 starttls=1 auth=1
>mail=1
>rcpt=1 data=1 quit=1 commands=8
>
>
>
>After a few minutes, without doing anything, I get this :
>
>
>
>Mar 30 06:56:16 mail postfix/qmgr[18959]: 29D0248A23DC:
>from=x...@domain.dom,
>size=93541, nrcpt=1 (queue active)
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: SSL_connect error to
>smtp-in.orange.fr[193.252.22.65]:25: -1
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: warning: TLS library problem:
>error:1425F102:SSL routines:ssl_choose_client_version:unsupported
>protocol:../ssl/statem/statem_lib.c:1929:
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC: Cannot start
>TLS:
>handshake failure
>
>Mar 30 06:56:17 mail postfix/smtp[24509]: 29D0248A23DC:
>to=y...@orange.fr
><mailto:y...@orange.fr> , relay=smtp-in.orange.fr[193.252.22.65]:25,
>delay=518, delays=518/0.02/0.12/0.35, dsn=2.0.0, status=sent (250 2.0.0
>mUwH240075Jsp0m01UwHze mail accepted for delivery)
>
>Mar 30 06:56:17 mail postfix/qmgr[18959]: 29D0248A23DC: removed
>
>
>
>The TLS part in main.cf :
>
>
>
>### Outbound SMTP connections (Postfix as sender)
>
>smtp_tls_security_level = dane
>
>smtp_dns_support_level = dnssec
>
>smtp_tls_policy_maps = mysql:/etc/postfix/sql/tls-policy.cf
>
>smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
>
>smtp_tls_protocols = !SSLv2, !SLv3 TLSv1.1, TLSv1.2
You have a missing "," after !SLv3 which also misses an "S"
And you exclude TLSv1 with which I can establish an encrypted connection to
orange.fr
>
>smtp_tls_ciphers = high
>
>smtp_tls_CAfile =
>/etc/letsencrypt/live/mymailserver.domain.dom/chain.pem
You probably don't need client certificates.
>
>
>
>
>
>Any clue about this error ? Which cert do I use and that orange does
>not
>want ? Why is the email sent after a few attempts ?
Eventually the email is sent in plaintext without encryption.
>
>
>Regards,
>
>
>
>Gaetan
--
Christian Kivalo
