On 2023-08-12 at 09:47:57 UTC-0400 (Sat, 12 Aug 2023 09:47:57 -0400)
pgnd via Postfix-users <p...@dev-mail.net>
is rumored to have said:
in
postconf mail_version
mail_version = 3.8.1
i just caught the following TLS error in postfix logs,
2023-08-12T09:33:07.064713-04:00 cmx0024 postfix/postscreen[27816]:
cache lmdb:/var/lib/postfix/postscreen_cache full cleanup: retained=0
dropped=0 entries
2023-08-12T09:33:07.065596-04:00 cmx0024 postfix/postscreen[27816]:
CONNECT from [139.138.32.157]:7430 to [xx.xx.xx.xx]:25
2023-08-10T19:13:17.266719-04:00 cmx0024 postfix/postscreen[27816]:
PASS NEW [139.138.32.157]:7430
2023-08-10T19:13:17.281444-04:00 cmx0024 postfix/psint/smtpd[27820]:
initializing the server-side TLS engine
2023-08-10T19:13:17.295301-04:00 cmx0024 postfix/tlsmgr[27821]: open
smtpd TLS cache lmdb:/var/lib/postfix/smtpd_scache
2023-08-10T19:13:17.299116-04:00 cmx0024 postfix/tlsmgr[27821]:
tlsmgr_cache_run_event: start TLS smtpd session cache cleanup
2023-08-10T19:13:17.305538-04:00 cmx0024 postfix/psint/smtpd[27820]:
connect from esa.hc2802-61.iphmx.com[139.138.32.157]
2023-08-10T19:13:17.455365-04:00 cmx0024 postfix/psint/smtpd[27820]:
setting up TLS connection from esa.hc2802-61.iphmx.com[139.138.32.157]
2023-08-10T19:13:17.457865-04:00 cmx0024 postfix/psint/smtpd[27820]:
esa.hc2802-61.iphmx.com[139.138.32.157]: TLS cipher list
"aNULL:-aNULL:HIGH:MEDIUM:!SEED:!IDEA:!3DES:!RC2:!RC4:!RC5:!kDH:!kECDH:!aDSS:!MD5:+RC4:@STRENGTH:!aNULL"
2023-08-10T19:13:17.457948-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL_accept:before SSL initialization
2023-08-10T19:13:17.457997-04:00 cmx0024 postfix/psint/smtpd[27820]:
read from 5568B971BE70 [5568B9729063] (5 bytes => -1)
2023-08-10T19:13:17.524878-04:00 cmx0024 postfix/psint/smtpd[27820]:
read from 5568B971BE70 [5568B9729063] (5 bytes => 5 (0x5))
2023-08-10T19:13:17.525272-04:00 cmx0024 postfix/psint/smtpd[27820]:
0000 16 03 01 00 9e .....
2023-08-10T19:13:17.525319-04:00 cmx0024 postfix/psint/smtpd[27820]:
read from 5568B971BE70 [5568B9729068] (158 bytes => 158 (0x9E))
2023-08-10T19:13:17.525363-04:00 cmx0024 postfix/psint/smtpd[27820]:
0000 01 00 00 9c 03 03 7f ba|ca 0f ba 3b 79 07 9e 6a ........
...;y..j
2023-08-10T19:13:17.525398-04:00 cmx0024 postfix/psint/smtpd[27820]:
0010 72 e1 43 86 d5 2b 89 65|9f a1 75 6b 24 3e 2b 84 r.C..#.e
..uk$>+.
2023-08-10T19:13:17.525455-04:00 cmx0024 postfix/psint/smtpd[27820]:
0020 67 3a d8 fa a7 2a 00 00|2e c0 30 c0 28 c0 14 00 g:...*..
..0.(...
2023-08-10T19:13:17.525494-04:00 cmx0024 postfix/psint/smtpd[27820]:
0030 9f 00 6b 00 39 01 88 00|9d 00 3d 00 35 00 84 c0 ..k.9...
..=.5...
2023-08-10T19:13:17.525559-04:00 cmx0024 postfix/psint/smtpd[27820]:
0040 2f c0 27 c0 12 00 9e 00|67 00 33 00 45 00 9c 00 /.'.....
g.3.E...
2023-08-10T19:13:17.525598-04:00 cmx0024 postfix/psint/smtpd[27820]:
0050 3c 00 2f 00 40 00 ff 01|00 00 43 00 0b 00 04 03 <./.A...
..C.....
2023-08-10T19:13:17.525635-04:00 cmx0024 postfix/psint/smtpd[27820]:
0060 00 01 02 00 0a 00 0a 00|08 00 17 00 18 00 17 00 ........
........
2023-08-10T19:13:17.525669-04:00 cmx0024 postfix/psint/smtpd[27820]:
0070 13 00 23 00 00 00 0d 00|20 00 1c 06 01 06 02 06 ..#.....
.......
2023-08-10T19:13:17.525703-04:00 cmx0024 postfix/psint/smtpd[27820]:
0080 03 05 01 03 02 05 03 04|01 04 02 04 03 03 01 03 ........
........
2023-08-10T19:13:17.525732-04:00 cmx0024 postfix/psint/smtpd[27820]:
0090 02 03 01 02 01 02 02 02|03 00 0f 00 01 01 ........ ......
2023-08-10T19:13:17.525766-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL_accept:before SSL initialization
2023-08-10T19:13:17.525800-04:00 cmx0024 postfix/psint/smtpd[27820]:
write to 5568B971BE70 [5568B9732240] (7 bytes => 7 (0x7))
2023-08-10T19:13:17.525829-04:00 cmx0024 postfix/psint/smtpd[27820]:
0000 15 03 03 00 02 02 28 ......(
2023-08-10T19:13:17.525857-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL3 alert write:fatal:handshake failure
2023-08-10T19:13:17.526149-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL_accept:error in error
2023-08-10T19:13:17.526636-04:00 cmx0024 postfix/psint/smtpd[27820]:
SSL_accept error from esa.hc2802-61.iphmx.com[139.138.32.157]: -1
2023-08-10T19:13:17.527266-04:00 cmx0024 postfix/psint/smtpd[27820]:
warning: TLS library problem: error:0A0000C1:SSL routines::no shared
cipher:ssl/statem/statem_srvr.c:2220:
2023-08-10T19:13:17.527415-04:00 cmx0024 postfix/psint/smtpd[27820]:
lost connection after STARTTLS from
esa.hc2802-61.iphmx.com[139.138.32.157]
2023-08-10T19:13:17.527457-04:00 cmx0024 postfix/psint/smtpd[27820]:
disconnect from esa.hc2802-61.iphmx.com[139.138.32.157] ehlo=1
starttls=0/1 commands=1/2
after which it reconnects, and re-xmits unencrypted
i've been dialing up logging, and dialing down sec levels, trying to
figure out what specific cipher from the sender's server is causing
the problem, not being offered/found, etc.
currently / so far, this server's config is
postconf -n | grep -i tls | grep -i cipher
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = EXP, LOW, MEDIUM, aNULL, eNULL, SRP, PSK,
kDH, DH, kRSA, DHE, DSS, RC4, DES, IDEA, SEED, ARIA, CAMELLIA,
AESCCM8, 3DES, ECDHE-ECDSA-AES256-SHA384, ECDHE-ECDSA-AES128-SHA256,
ECDHE-RSA-AES256-SHA384, ECDHE-RSA-AES128-SHA256, MD5, SHA
smtp_tls_mandatory_ciphers = medium
smtpd_tls_ciphers = medium
smtpd_tls_exclude_ciphers =
smtpd_tls_mandatory_ciphers = medium
tls_preempt_cipherlist = yes
tlsproxy_tls_mandatory_exclude_ciphers =
$smtpd_tls_mandatory_exclude_ciphers
Why?
Can you explain how each of these is better than the Postfix defaults?
i'm not seeing the cause of the problem :-/
am i looking in the wrong place? or is that^ config already a cause?
I expect that Viktor will respond with a detailed coherent explanation
of why your bespoke config is breaking your system. He will be correct
about every word.
I will just say that you should remove all non-default TLS-related
settings for which you cannot give a detailed technical justification,
beyond "some random web page told me to do it."
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
