I have setup Postfix so that internally I offer TLS to systems but do not require it since I have no control over their configuration. I did extensive testing to ensure that the mail gateway supports TLS and accepts email from another Postfix system where TLS is disabled. But today I found a system failing to route email through the Postfix gateway today that has me baffled.
My best guess based on searching the archives is that there may be a defect in the remote system that is causing the issue. I looked at the documentation and I think the next step would be to configure the smtpd_discard_ehlo_keyword_address_maps option and use a CIDR file for the mapping. (i.e. smtpd_discard_ehlo_keyword_address_maps = cidr:/etc/postfix/smtpd_discard_ehlo_keyword_address_maps). The contents of the file would be the IP address of the system and the STARTTLS keyword if I want to disable TLS for this IP (i.e. 123.456.789.123 STARTTLS). I tested this on my test system with good ole telnet and it seems to have the effect I desired. Am I missing anything? [snippet from main.cf] smtpd_tls_security_level = may [snippet from log] May 05 16:27:59 zzz postfix/smtpd[1234567]: connect from xxx.xxx.xxx[yyy.yyy.yyy.yyy] May 05 16:27:59 zzz postfix/smtpd[1234567]: SSL_accept error from xxx.xxx.xxx[yyy.yyy.yyy.yyy]: -1 May 05 16:27:59 zzz postfix/smtpd[1234567]: warning: TLS library problem: error:03000098:digital envelope routines::invalid digest:crypto/evp/m_sigver.c:343: May 05 16:27:59 zzz postfix/smtpd[1234567]: warning: TLS library problem: error:0A0C0103:SSL routines::internal error:ssl/statem/statem_srvr.c:2684: May 05 16:27:59 zzz postfix/smtpd[1234567]: lost connection after STARTTLS from xxx.xxx.xxx[yyy.yyy.yyy.yyy]
_______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
