>>>> This server does not support TLS 1.3 yet and TLS 1.2 is the only
>>>> version currently allowed for submission.
>
> That sounds like a rather old (EOL) version of OpenSSL. TLS 1.3
> support was added in OpenSSL 1.1.1 [11 Sep 2018]. Are you using
> OpenSSL 1.1.0 or the even older 1.0.2?
It's CentOS 7 - RedHat sometimes does backports but version numbers
usually don't change.
Name : openssl
Version : 1.0.2k
Release : 25.el7_9
Architecture: x86_64
Source RPM : openssl-1.0.2k-25.el7_9.src.rpm
Build Date : Mon 28 Mar 2022 05:43:15 PM CEST
Build Host : x86-01.bsys.centos.org
This seems to be the latest version. CentOS 7 is supported until 2024-06-30.
Migration to CentOS 8 was planned but with RedHat withdrawing support
(turning CentOS 8 into CentOS stream, a rolling release distribution
for testing), I'm planning for Alma/Rocky 9.
>>> Do you have "tls_preempt_cipherlist = yes"? I wonder why AES128 is used
>>> as opposed to AES256.
>>
>> Yes, sorry, I've tried different options while troubleshooting.
>>
>> With tls_preempt_cipherlist unset it logs:
>>
>> Anonymous TLS connection established from <redacted>: TLSv1.2 with cipher
>> ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
>
> Though I'll see it if you provide a PCAP file, what is the lifetime of
I've already sent it, greylisting interfered.
> your certificate?
>
> # cert=$(postconf -xh smtpd_tls_cert_file) # or just explicit path
> # openssl x509 -noout -dates -in $cert
It's a letsencrypt certificate and it had about 50 days left.
I forcefully renewed it for testing (including a new key), but it didn't help.
Not Before: Oct 13 18:28:47 2022 GMT
Not After : Jan 11 18:28:46 2023 GMT
Best regards
Gerald
