On 8/15/23 14:49, Viktor Dukhovni via Postfix-users wrote:
smtp_tls_loglevel = 0
Level 1 is typically more informative at negligible additional cost.
I have set this option and tried to send email once again:
Aug 15 18:11:48 flopster postfix/smtp[6025]: warning: TLS library problem:
error:0A000417:SSL routines::sslv3 alert illegal
parameter:../openssl-3.0.9/ssl/record/rec_layer_s3.c:1586:SSL alert number 47:
Aug 15 18:11:48 flopster postfix/smtp[6025]: B3E8116E006D: Cannot start TLS:
handshake failure
Aug 15 18:11:50 flopster postfix/smtp[6025]: warning: TLS library problem:
error:0A000417:SSL routines::sslv3 alert illegal
parameter:../openssl-3.0.9/ssl/record/rec_layer_s3.c:1586:SSL alert number 47:
Aug 15 18:11:50 flopster postfix/smtp[6025]: B3E8116E006D: to=<l...@east.ru>,
relay=mail.east.ru[195.170.62.14]:25, delay=5.2, delays=0.01/0/5.2/0, dsn=4.7.5,
status=undeliverable (Cannot start TLS: handshake failure)
On 8/15/23 14:49, Viktor Dukhovni via Postfix-users wrote:
Not clear why one would choose to prefer cleartext fallback over TLSv1.
Indeed, so long as the TCP connection succeeds, address verification
probes may not queue to retry a cleartext delivery. Queueing probes
for a cleartext retry may expose your queue to greater risk of
congestion. But perhaps it is a risk that one should be prepared to
take when enabling sender or recipient verification.
Well, what I mean is after manual verification I can see that l...@east.ru
seems to be accepting letters only via cleartext connections. Furthermore,
regarding safety question - I configured postfix to use dnssec and check if
domain has dane, thus I think it is obvious that if we have TLSA record which
is trusted due to DNSSEC postfix should not fallback, however in this case we
do not following such behaviour and we are safe to fallback to cleartext.
On 8/15/23 14:49, Viktor Dukhovni via Postfix-users wrote:
admin@flopster ~ $ sudo postconf | grep ^address_verify
No "sudo" necessary, and please report "postconf -n", rather than
"postconf" output.
Sure, there it is:
admin@flopster ~ $ postconf -n | grep -e ^smtp_tls -e ^address_verify
address_verify_negative_refresh_time = 5m
address_verify_sender = address.verif...@at.encryp.ch
smtp_tls_cert_file = /etc/ssl/domains/flopster.at.encryp.ch/fullchain
smtp_tls_key_file = /etc/ssl/domains/flopster.at.encryp.ch/key
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_protocols = >=0x0303
smtp_tls_security_level = dane
On 8/15/23 14:49, Viktor Dukhovni via Postfix-users wrote:
address_verify_negative_refresh_time = 5m
This is perhaps too short. The default is:
address_verify_negative_refresh_time = 3h
I have set this on purpose - this is for email servers that do greylisting for
a small period of time - like 1-60 seconds. I think that the probing performed
by postfix's verify is not too heavy.
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
