On Fri, May 05, 2023 at 06:55:23PM -0500, E R via Postfix-users wrote: > I have setup Postfix so that internally I offer TLS to systems but do not > require it since I have no control over their configuration. I did > extensive testing to ensure that the mail gateway supports TLS and accepts > email from another Postfix system where TLS is disabled. But today I found > a system failing to route email through the Postfix gateway today that has > me baffled. > > My best guess based on searching the archives is that there may be a defect > in the remote system that is causing the issue. I looked at the > documentation and I think the next step would be to configure the > smtpd_discard_ehlo_keyword_address_maps option and use a CIDR file for the > mapping. (i.e. smtpd_discard_ehlo_keyword_address_maps = > cidr:/etc/postfix/smtpd_discard_ehlo_keyword_address_maps). The contents > of the file would be the IP address of the system and the STARTTLS keyword > if I want to disable TLS for this IP (i.e. 123.456.789.123 STARTTLS). I > tested this on my test system with good ole telnet and it seems to have the > effect I desired. > > Am I missing anything? > > [snippet from main.cf] > smtpd_tls_security_level = may > > [snippet from log] > May 05 16:27:59 zzz postfix/smtpd[1234567]: connect from > xxx.xxx.xxx[yyy.yyy.yyy.yyy] > May 05 16:27:59 zzz postfix/smtpd[1234567]: SSL_accept error from > xxx.xxx.xxx[yyy.yyy.yyy.yyy]: -1 > May 05 16:27:59 zzz postfix/smtpd[1234567]: warning: TLS library problem: > error:03000098:digital envelope routines::invalid > digest:crypto/evp/m_sigver.c:343: > May 05 16:27:59 zzz postfix/smtpd[1234567]: warning: TLS library problem: > error:0A0C0103:SSL routines::internal error:ssl/statem/statem_srvr.c:2684: > May 05 16:27:59 zzz postfix/smtpd[1234567]: lost connection after STARTTLS > from xxx.xxx.xxx[yyy.yyy.yyy.yyy]
Because TLS/SSL things are very complex, you have to show us real settings all. Like me: (yw-0919: inbound, yw-1204: outbound) [1] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/smtp-conf.yw-0919 [2] https://gitlab.com/soyeomul/Gnus/-/raw/master/DKIM/smtp-conf.yw-1204 Then we go to check things, IMHO. Sincerely, _______________________________________________ Postfix-users mailing list -- postfix-users@postfix.org To unsubscribe send an email to postfix-users-le...@postfix.org
