On 2022-06-09 at 10:35:50 UTC-0400 (Thu, 9 Jun 2022 09:35:50 -0500)
Linda Pagillo <lpad...@gmail.com>
is rumored to have said:
Hi everyone! Yesterday I enabled TLS on my Postfix server (v.3.4.13).
When I did, no one with a Google or Yahoo hosted address could send us
mail
(possibly others too)
When I checked the Postfix log, I saw a bunch of this...
Jun 8 17:16:52 g1 postfix/smtpd[2153672]: connect from
mail-pl1-f180.google.com[209.85.214.180]
Jun 8 17:16:52 g1 postfix/smtpd[2153672]: SSL_accept error from
mail-pl1-f180.google.com[209.85.214.180]: -1
Jun 8 17:16:52 g1 postfix/smtpd[2153672]: warning: TLS library
problem:
error:141FC044:SSL routines:tls_setup_handshake:internal
error:../ssl/statem/statem_lib.c:109:
Jun 8 17:16:52 g1 postfix/smtpd[2153672]: lost connection after
STARTTLS
from mail-pl1-f180.google.com[209.85.214.180]
Jun 8 17:16:52 g1 postfix/smtpd[2153672]: disconnect from
mail-pl1-f180.google.com[209.85.214.180] ehlo=1 starttls=0/1
commands=1/2
I Googled these errors, but I have not been able to find an answer
that
works.
Here are my TLS parameters...
# TLS parameters
smtpd_tls_cert_file=/etc/letsencrypt/live/
g1.server_host_name.net/fullchain.pem
smtpd_tls_key_file=/etc/letsencrypt/live/g1.server_host_name.net/privkey.pem
smtpd_use_tls=yes
Obsolete. With Postfix 2.3 and later use smtpd_tls_security_level
instead. For most sites, 'smtpd_tls_security_level=may' is the best
choice.
smtp_tls_CApath=/etc/ssl/certs
smtp_tls_security_level=encrypt
This will require all *outbound* SMTP sessions to use TLS. You will not
be able to send mail to systems without working inbound TLS.
smtpd_tls_protocols = !SSLv2, !SSLv3 !TLSv1 !TLSv1.1 !TLSv1.2 !TLSv1.3
That prohibits the use of all possible SSL and TLS versions. Not what
you want. Letting that stay at the default is safe enough for nearly all
sites.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
