On 2022-12-07 at 12:28:49 UTC-0500 (Wed, 7 Dec 2022 12:28:49 -0500) Alex <mysqlstud...@gmail.com> is rumored to have said:
> Hi, > I have a few mail relays using Lets Encrypt certs to provide TLS. I'm > pretty sure I've configured them properly, but hope someone would confirm. > I've seen a few errors that I believe are a result of a poorly configured > client, but I wanted to be sure. > > Dec 7 10:27:32 armor postfix-110/smtpd[5701]: warning: TLS library > problem: error:0A000126:SSL routines::unexpected eof while > reading:ssl/record/rec_layer_s3.c:308: > > Dec 7 06:00:58 armor postfix-110/smtpd[4066575]: warning: TLS library > problem: error:0A000438:SSL routines::tlsv1 alert internal > error:ssl/record/rec_layer_s3.c:1584:SSL alert number 80: Likely a case of a client that expected to be able to negotiate a connection but got stuck without a negotiable protocol/cipher. > Here is the config I'm using for all hosts. All hosts are listed in the > same cert. > > smtp_tls_security_level = may > smtpd_tls_security_level = may > smtpd_tls_mandatory_protocols = >=TLSv1.2 > smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1 > smtpd_tls_exclude_ciphers = MD5, RC4, 3DES, IDEA, SEED, aNULL > tls_preempt_cipherlist = yes > smtpd_tls_mandatory_ciphers = high Why are you explicitly setting ANY of these? Use the defaults. They are safe and functional. -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
