Hi,
I have a few mail relays using Lets Encrypt certs to provide TLS. I'm
pretty sure I've configured them properly, but hope someone would confirm.
I've seen a few errors that I believe are a result of a poorly configured
client, but I wanted to be sure.
Dec 7 10:27:32 armor postfix-110/smtpd[5701]: warning: TLS library
problem: error:0A000126:SSL routines::unexpected eof while
reading:ssl/record/rec_layer_s3.c:308:
Dec 7 06:00:58 armor postfix-110/smtpd[4066575]: warning: TLS library
problem: error:0A000438:SSL routines::tlsv1 alert internal
error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80:
Here is the config I'm using for all hosts. All hosts are listed in the
same cert.
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols = >=TLSv1.2
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high
#smtpd_tls_protocols = >=TLSv1.2
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/letsencrypt/cert.pem
smtpd_tls_key_file = /etc/letsencrypt/privkey.pem
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
tls_random_source = dev:/dev/urandom
smtpd_tls_session_cache_database =
btree:${data_directory}/smtpd_tls_session_cache
