in
postconf mail_version
mail_version = 3.8.1
i just caught the following TLS error in postfix logs,
2023-08-12T09:33:07.064713-04:00 cmx0024 postfix/postscreen[27816]:
cache lmdb:/var/lib/postfix/postscreen_cache full cleanup: retained=0 dropped=0
entries
2023-08-12T09:33:07.065596-04:00 cmx0024 postfix/postscreen[27816]:
CONNECT from [139.138.32.157]:7430 to [xx.xx.xx.xx]:25
2023-08-10T19:13:17.266719-04:00 cmx0024 postfix/postscreen[27816]:
PASS NEW [139.138.32.157]:7430
2023-08-10T19:13:17.281444-04:00 cmx0024 postfix/psint/smtpd[27820]:
initializing the server-side TLS engine
2023-08-10T19:13:17.295301-04:00 cmx0024 postfix/tlsmgr[27821]: open
smtpd TLS cache lmdb:/var/lib/postfix/smtpd_scache
2023-08-10T19:13:17.299116-04:00 cmx0024 postfix/tlsmgr[27821]:
tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
2023-08-10T19:13:17.305538-04:00 cmx0024 postfix/psint/smtpd[27820]:
connect from esa.hc2802-61.iphmx.com[139.138.32.157]
2023-08-10T19:13:17.455365-04:00 cmx0024 postfix/psint/smtpd[27820]:
setting up TLS connection from esa.hc2802-61.iphmx.com[139.138.32.157]
2023-08-10T19:13:17.457865-04:00 cmx0024 postfix/psint/smtpd[27820]:
esa.hc2802-61.iphmx.com[139.138.32.157]: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH:!aNULL"
2023-08-10T19:13:17.457948-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL_accept:before SSL initialization
2023-08-10T19:13:17.457997-04:00 cmx0024 postfix/psint/smtpd[27820]: read
from 5568B971BE70 [5568B9729063] (5 bytes => -1)
2023-08-10T19:13:17.524878-04:00 cmx0024 postfix/psint/smtpd[27820]: read
from 5568B971BE70 [5568B9729063] (5 bytes => 5 (0x5))
2023-08-10T19:13:17.525272-04:00 cmx0024 postfix/psint/smtpd[27820]:
0000 16 03 01 00 9e .....
2023-08-10T19:13:17.525319-04:00 cmx0024 postfix/psint/smtpd[27820]: read
from 5568B971BE70 [5568B9729068] (158 bytes => 158 (0x9E))
2023-08-10T19:13:17.525363-04:00 cmx0024 postfix/psint/smtpd[27820]:
0000 01 00 00 9c 03 03 7f ba|ca 0f ba 3b 79 07 9e 6a ........ ...;y..j
2023-08-10T19:13:17.525398-04:00 cmx0024 postfix/psint/smtpd[27820]: 0010
72 e1 43 86 d5 2b 89 65|9f a1 75 6b 24 3e 2b 84 r.C..#.e ..uk$>+.
2023-08-10T19:13:17.525455-04:00 cmx0024 postfix/psint/smtpd[27820]:
0020 67 3a d8 fa a7 2a 00 00|2e c0 30 c0 28 c0 14 00 g:...*.. ..0.(...
2023-08-10T19:13:17.525494-04:00 cmx0024 postfix/psint/smtpd[27820]:
0030 9f 00 6b 00 39 01 88 00|9d 00 3d 00 35 00 84 c0 ..k.9... ..=.5...
2023-08-10T19:13:17.525559-04:00 cmx0024 postfix/psint/smtpd[27820]:
0040 2f c0 27 c0 12 00 9e 00|67 00 33 00 45 00 9c 00 /.'..... g.3.E...
2023-08-10T19:13:17.525598-04:00 cmx0024 postfix/psint/smtpd[27820]: 0050
3c 00 2f 00 40 00 ff 01|00 00 43 00 0b 00 04 03 <./.A... ..C.....
2023-08-10T19:13:17.525635-04:00 cmx0024 postfix/psint/smtpd[27820]:
0060 00 01 02 00 0a 00 0a 00|08 00 17 00 18 00 17 00 ........ ........
2023-08-10T19:13:17.525669-04:00 cmx0024 postfix/psint/smtpd[27820]:
0070 13 00 23 00 00 00 0d 00|20 00 1c 06 01 06 02 06 ..#..... .......
2023-08-10T19:13:17.525703-04:00 cmx0024 postfix/psint/smtpd[27820]:
0080 03 05 01 03 02 05 03 04|01 04 02 04 03 03 01 03 ........ ........
2023-08-10T19:13:17.525732-04:00 cmx0024 postfix/psint/smtpd[27820]:
0090 02 03 01 02 01 02 02 02|03 00 0f 00 01 01 ........ ......
2023-08-10T19:13:17.525766-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL_accept:before SSL initialization
2023-08-10T19:13:17.525800-04:00 cmx0024 postfix/psint/smtpd[27820]: write
to 5568B971BE70 [5568B9732240] (7 bytes => 7 (0x7))
2023-08-10T19:13:17.525829-04:00 cmx0024 postfix/psint/smtpd[27820]:
0000 15 03 03 00 02 02 28 ......(
2023-08-10T19:13:17.525857-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL3 alert write:fatal:handshake failure
2023-08-10T19:13:17.526149-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL_accept:error in error
2023-08-10T19:13:17.526636-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL_accept error from esa.hc2802-61.iphmx.com[139.138.32.157]: -1
2023-08-10T19:13:17.527266-04:00 cmx0024 postfix/psint/smtpd[27820]:
warning: TLS library problem: error:0A0000C1:SSL routines::no shared
cipher:ssl/statem/statem_srvr.c:2220:
2023-08-10T19:13:17.527415-04:00 cmx0024 postfix/psint/smtpd[27820]:
lost connection after STARTTLS from esa.hc2802-61.iphmx.com[139.138.32.157]
2023-08-10T19:13:17.527457-04:00 cmx0024 postfix/psint/smtpd[27820]:
disconnect from esa.hc2802-61.iphmx.com[139.138.32.157] ehlo=1 starttls=0/1
commands=1/2
after which it reconnects, and re-xmits unencrypted
i've been dialing up logging, and dialing down sec levels, trying to figure out
what specific cipher from the sender's server is causing the problem, not
being offered/found, etc.
currently / so far, this server's config is
postconf -n | grep -i tls | grep -i cipher
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP,
PSK, kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA, AESCCM8,
3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256,
ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA
smtp_tls_mandatory_ciphers = medium
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers =
smtpd_tls_mandatory_ciphers = medium
tls_preempt_cipherlist = yes
tlsproxy_tls_mandatory_exclude_ciphers =
$smtpd_tls_mandatory_exclude_ciphers
i'm not seeing the cause of the problem :-/
am i looking in the wrong place? or is that^ config already a cause?
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
