[pfx] Re: Accepting mail from old Dell iDRAC

Wed, 02 Aug 2023 06:33:44 -0700 

On Wed, Aug 02, 2023 at 01:26:43AM -0400, Charles Sprickman via Postfix-users 
wrote:

> [root@mail /usr/local/etc/postfix]# postconf -n |grep smtpd_tls
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /usr/local/etc/dehydrated/certs/foo/fullchain.pem
> smtpd_tls_key_file = /usr/local/etc/dehydrated/certs/foo/privkey.pem
> smtpd_tls_loglevel = 1
> smtpd_tls_received_header = yes
> smtpd_tls_security_level = may

Any tweaks to OpenSSL fine-tuning 'tls_*' variables?

> Aug  2 01:18:56 mail postfix/smtpd[28114]: < 
> pool-ANON.fios.verizon.net[10.10.10.2]: STARTTLS
> Aug  2 01:18:56 mail postfix/smtpd[28114]: > 
> pool-ANON.fios.verizon.net[10.10.10.2]: 220 2.0.0 Ready to start TLS
> Aug  2 01:18:56 mail postfix/smtpd[28114]: SSL_accept error from 
> pool-ANON.fios.verizon.net[10.10.10.2]: -1
> Aug  2 01:18:56 mail postfix/smtpd[28114]: warning: TLS library
>   problem: error:1417A0C1:SSL routines:tls_post_process_client_hello:
>   no shared cipher:/usr/src/crypto/openssl/ssl/statem/statem_srvr.c:2285:
> 
> I'm lost here - Dell doesn't really document what they're trying to do
> and the OpenSSL stuff doesn't seem to be coughing up a whole lot of
> info to give me a hint as to what cipher is being tried so I can allow
> it...

Most likely RC4-SHA or RC4-MD5 (if even more ancient).  A tcpdump
full packet capture PCAP file + tshark will tell the whole story.

> How can I troubleshoot this a bit more?

What version of OpenSSL is Postfix linked with?  ($ openssl version -v)
Sufficiently new OpenSSL may have dropped support for RC4 in TLS.

On Wed, Aug 02, 2023 at 04:56:40PM +1000, Phil Biggs via Postfix-users wrote:

> I read somewhere recently that alert encryption is only supported on
> the iDRAC9 and later and only after a firmware update.

The iDRAC is trying to use STARTTLS, so encrypted SMTP transport appears
to be supported.  As noted by others, it may be simplest to not offer
it STARTTLS (smtpd_discard_ehlo_keyword_address_maps).

-- 
    Viktor.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

Reply via email to